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About this Book and the Library 


This guide describes how end-users and some administrators can use the NetIQ Identity Manager 
identity applications, particularly the Dashboard and User Application. 


Intended Audience 


This book provides information for individuals responsible for understanding administration 
concepts and implementing a secure, distributed administration model. 


Other Information in the Library 


For more information about the library for Identity Manager, see the Identity Manager 
documentation website. 
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About this Book and the Library 


About NetIQ Corporation 


We are a global, enterprise software company, with a focus on the three persistent challenges in 
your environment: Change, complexity and risk—and how we can help you control them. 


Our Viewpoint 


Adapting to change and managing complexity and risk are nothing new 
In fact, of all the challenges you face, these are perhaps the most prominent variables that deny 
you the control you need to securely measure, monitor, and manage your physical, virtual, and 
cloud computing environments. 

Enabling critical business services, better and faster 


We believe that providing as much control as possible to IT organizations is the only way to 
enable timelier and cost effective delivery of services. Persistent pressures like change and 
complexity will only continue to increase as organizations continue to change and the 
technologies needed to manage them become inherently more complex. 


Our Philosophy 


Selling intelligent solutions, not just software 


In order to provide reliable control, we first make sure we understand the real-world scenarios 
in which IT organizations like yours operate — day in and day out. That's the only way we can 
develop practical, intelligent IT solutions that successfully yield proven, measurable results. And 
that's so much more rewarding than simply selling software. 

Driving your success is our passion 


We place your success at the heart of how we do business. From product inception to 
deployment, we understand that you need IT solutions that work well and integrate seamlessly 
with your existing investments; you need ongoing support and training post-deployment; and 
you need someone that is truly easy to work with — for a change. Ultimately, when you 
succeed, we all succeed. 


Our Solutions 


+ Identity & Access Governance 

+ Access Management 

+ Security Management 

+ Systems & Application Management 
+ Workload Management 


+ Service Management 
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Contacting Sales Support 


For questions about products, pricing, and capabilities, contact your local partner. If you cannot 
contact your partner, contact our Sales Support team. 


Worldwide: www.netiq.com/about_netiq/officelocations.asp 
United States and Canada: 1-888-323-6768 
Email: info@netiq.com 
Web Site: www.netiq.com 


Contacting Technical Support 


For specific product issues, contact our Technical Support team. 


Worldwide: www.netiq.com/support/contactinfo.asp 
North and South America: 1-713-418-5555 

Europe, Middle East, and Africa: +353 (0) 91-782 677 

Email: support@netiq.com 

Web Site: www.netiq.com/support 


Contacting Documentation Support 


Our goal is to provide documentation that meets your needs. The documentation for this product is 
available on the NetlQ Web site in HTML and PDF formats on a page that does not require you to log 
in. If you have suggestions for documentation improvements, click Add Comment at the bottom of 
any page in the HTML version of the documentation posted at www.netiq.com/documentation. You 
can also email Documentation-Feedback@netig.com. We value your input and look forward to 
hearing from you. 


Contacting the Online User Community 


NetlQ Communities, the NetlQ online community, is a collaborative network connecting you to your 
peers and NetIQ experts. By providing more immediate information, useful links to helpful 
resources, and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the 
knowledge you need to realize the full potential of IT investments upon which you rely. For more 
information, visit https://www.netiq.com/communities/. 
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Welcome to Identity Manager 


NetIQ Identity Manager is a system software product that your organization uses to securely manage 
the access needs of its user community. If you’re a member of that user community, you benefit 
from Identity Manager in a number of ways. For example, Identity Manager enables your 
organization to: 


+ Give users access to the information (such as group org charts, department white pages, or 
employee lookup), as well as roles and resources (such as equipment or accounts on internal 
systems) that they need, right from day one 


+ Synchronize multiple passwords into a single login for all your systems 


+ Modify or revoke access rights instantly when necessary (such as when someone transfers to a 
different group or leaves the organization) 


+ Support compliance with government regulations 


Read this part first to learn about the Identity Manager identity applications and how to begin using 
them. This guide is designed to assist the following types of online activity in your organization: 

+ Manage your online identity associated with organizational resources. 

+ View or modify your access to organizational roles and resources. 

+ Approve requests for access to resources and roles. 


+ Manage the permissions associated with software applications and other resources that your 
organization provides to members of your organization. 
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1 Getting Started 


This section tells you how to begin using the identity applications. Topics include: 


+ “Understanding Roles and Resources” on page 13 

+ “Understanding the Identity Applications” on page 13 

+ “Understanding Identity Manager Dashboard” on page 13 
+ “Exploring the Dashboard” on page 14 

+ “Understanding Tasks” on page 16 

+ “Typical Ways to Use the Identity Applications” on page 16 


Understanding Roles and Resources 


In the identity applications, a permission represents the access provided to a user or group of users 
for a role or resource. A role defines a set of permissions related to one or more target systems or 
applications. For example, a user administrator role might be authorized to reset a user's password, 
while a system administrator role might have the ability to assign a user to a specific server. A 
resource is any digital entity such as a user account, computer, or database that a business user 
needs to be able to access. 


Understanding the Identity Applications 


The Identity Manager identity applications are an interconnected set of browser-based Web 
applications. They enable your organization to manage the user accounts and permissions 
associated with the wide variety of roles and resources available to users. You can configure the 
identity applications to provide self-service support for your users, such as requesting roles or 
changing their passwords. You can also set up workflows to improve the efficiency in managing and 
assigning roles and resources. 


Understanding Identity Manager Dashboard 


NetIQ Identity Manager Dashboard (the Dashboard) serves as the primary entry portal to the 
identity applications. The Dashboard can have one or many widgets that helps you with the quick 
information on particular activity. From your Dashboard, you can perform the following activities: 

+ Manage your profile settings and password. 

+ View your organization chart details. 

+ Review and complete your tasks, such as approving user requests for access. 

+ Request permissions for roles, resources, or processes. 

+ Review the status and history of the requests for permissions. 


+ Find other users in your organization. 
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+ Personalize your dashboard, you can add widgets and reposition them based on your interests. 
+ Set any user as your proxy from the system. 


+ Delegate your tasks to other users from the system. 
You can perform the following tasks with the appropriate Permissions: 


+ Create and modify user profiles. 
+ View the organization chart details of other users. 


+ Create and modify teams that represent a set of users and groups that can perform provisioning 
requests and approval tasks associated with the teams. 


+ Request permissions or revoke permissions on behalf of other users in the organization. 


Exploring the Dashboard 


The Dashboard provides quick information about your tasks, permissions, and requests in the form 
of widgets. You can navigate to specific pages or applications with a single click. Additionally, you can 
add, remove, reposition, and configure widgets on your Dashboard. For more information about 
personalizing your Dashboard, see Chapter 3, “Managing Widgets and Layouts,” on page 27. 


Following is an example that describes the default widget options on the Dashboard. 


Figure 1-1 Example Personal Dashboard 


Requests For Others Roles Self Requests 


Identity Manager Dashboard allows you to manage different activities on Identity Manager. 
Following are the pages that help you to manage your tasks and activities: 


Application 


Lists all the applications that are provisioned for you. This provides default links to several areas 
to streamline the basic tasks that you need to perform in Identity Manager. For more 
information, see “Understanding Applications Page” on page 15. 


Tasks 


Shows all your tasks that are pending for an action. With an appropriate role, you can view the 
tasks of others. For example, Team Manager. 
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Access 


Allows you to view permissions or request permissions. To view the status of requested 
permissions, go to Request History. This page displays all your requests and their status. 


People 


Allows you to view other users or groups in the system and other user’s Organization Chart. This 
helps them to visualize how those users and groups are related. 


Administration 


Allows you to view and manage roles, resources, permission reconciliation, and their 
configurations. This option appears only for administrators. For more information about 
Administration tasks, see Identity Applications Administration in Net/Q Identity Manager - 
Administrator’s Guide to the Identity Applications. 


Understanding Applications Page 


The second significant view in the Dashboard is the Applications page (Figure 1-2), which provides 
default links to several areas to streamline the basic tasks that end users and administrators need to 
perform in Identity Manager. 


Figure 1-2 Example of the Applications page on the Dashboard 


+ 


HelpDesk Ticket Request Access My Approvals My Request History My Access My Profile Change My Search User Org Chart 
Password 


ninistration 


Ue al are al a 


Assign Roles Assign Resources Create User Manage Roles Manage Resources Navigation and Identity Reporting 
Acces. 


By default, Helpdesk Ticket appears on your Applications page. This option allows you to raise a ticket 
to your helpdesk. 


Your identity administrator customizes the Applications page to include tiles that link to commonly 
requested resources or applications that users regularly access. You can configure the user access for 
these tiles with an appropriate administrative role. Navigate to Your ID > Settings > Access to add 
trustees for the required navigation items. For more information on provisioning access, see 
Managing User Access in NetIQ Identity Manager - Administrator’s Guide to the Identity 
Applications. 


Some of the tiles on this page might appear only for users with an administrative role in the identity 
applications. For example, a person who can create or modify roles should see a tile similar to Create 
User and Manage Roles. 


For more information about using the Dashboard, click @ on the Dashboard. 
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Understanding Tasks 


The Tasks page allows you to approve or deny actions for the tasks listed. 


The Identity Manager dashboard allows you to manage the Identity Manager and Identity 
Governance tasks from the Tasks page. You can now view and approve both Identity Manager and 
Identity Governance tasks from the same user interface. 


Typical Ways to Use the Identity Applications 


Here are some examples of how people typically use the identity applications within an organization. 


+ “How Identity Self-Service Works” on page 16 
+ “How Roles and Resources Work” on page 16 
+ “How Process Requests Work” on page 18 


+ “How Helpdesk Works?” on page 18 


How Identity Self-Service Works 


+ Ella (an end user) recovers her forgotten password through the identity self-service features 
when logging in. 


By default, Identity Manager uses Self Service Password Reset (SSPR) to allow users to modify 
their passwords. However, the identity applications can use other methods for managing 
forgotten passwords. 


+ Erik (an end user) performs a search for all employees who speak German at his location. 


+ Eduardo (an end user) browses the organization chart, finds Ella, and clicks the e-mail icon to 
send a message to her. 


How Roles and Resources Work 


Following is an example that explains the flow of roles and resources request in the system: 
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Figure 1-3 Example Scenario of Role Assignment 


Maxine Chester 
(Role Manager) (Security Officer) 


4. Checking for 


| 
SoD conflict. 
1. Requesting for ¡e 
the Nurse role 
> 


Nurse Doctor 
Doctor Nurse 


Separation of Duties (SoD) 
Ernest ? 
(End User) 3. Trying to assign 
$ 4 Doctor role to Ernest 6. Resolving SoD 


5. Notifying approver 


Administer Write to resolve SoD conflict. conflict. 
Drugs Prescription 
2. Approving the 
request for Nurse role 
Amelia Arnold Edward 
5. Assigning the (Approver) (Role Manager) (SoD Approver) 


Doctor role 


+ 


Maxine (a Role Manager) creates the Nurse and Doctor business roles and the Administer Drugs 
and Write Prescriptions IT roles. Maxine creates several resources that are needed for these 
roles, and associates the resources with the roles. 


+ 


Maxine (a Role Manager) defines a relationship between the Nurse and Administer Drugs roles, 
specifying that the Nurse role contains the Administer Drugs role. Max also defines a 
relationship between the Write Prescriptions and Doctor roles, specifying that the Doctor role 
contains the Write Prescriptions role. 


+ 


Chester (a Security Officer) defines a separation of duties constraint that specifies that a 
potential conflict exists between the Doctor and Nurse roles. This means that ordinarily the 
same user should be not assigned to both roles at the same time. In some circumstances, an 
individual who requests a role assignment may want to override this constraint. To define a 
separation of duties exception, the individual who requests the assignment must provide a 
justification. 


+ 


Ernest (an end user) browses a list of roles available to him, and requests assignment to the 
Nurse role. 


+ 


Amelia (an approver) receives notification of an approval request via e-mail (which contains an 
URL). She clicks the link, is presented with an approval form, and approves it. 


+ 


Arnold (a Role Manager) requests that Ernest be assigned to the Doctor role. He is notified that 
a potential conflict exists between the Doctor role and Nurse role, to which Ernest has already 
been assigned. He provides a justification for making an exception to the separation of duties 
constraint. 
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+ 


+ 


+ 


Edward (a separation of duties approver) receives notification of a separation of duties conflict 
via e-mail. He approves Arnold’s request to override the separation of duties constraint. 


Amelia (an approver) receives notification of an approval request for the Doctor role via e-mail. 
She approves the Arnold’s request to assign Ernest to the Doctor role. 


Bill (a Role Auditor) looks at the SoD Violations and Exceptions Report and sees that Ernest has 
been assigned to both the Doctor and Nurse roles. In addition, he sees that Ernest has been 
assigned the resources associated with these roles. 


How Process Requests Work 


+ 


Ernie (an end user) browses a list of resources available to him, and requests access to the 
Siebel* system. 


Amy (an approver) receives notification of an approval request via e-mail (which contains an 
URL). She clicks the link, is presented with an approval form, and approves it. 


Ernie checks on the status of his previous request for Siebel access (which has now gone to a 
second person for approval). He sees that it is still in progress. 


Amy is going on vacation, so she indicates that she is temporarily unavailable. No new approval 
tasks are assigned to her while she is unavailable. 


Amy opens her approval task list, sees that there are too many for her to respond to in a timely 
manner, and reassigns several to co-workers. 


Pat (an administrative assistant, acting as a proxy user for Amy) opens Amy’s task list and 
performs an approval task for her. 


Max (a manager) views the task lists of people in his department. He knows that Amy is on 
vacation, so he reassigns tasks to others in his department. 


Max initiates a request for a database account for someone in his department who reports 
directly to him. 


Max assigns Dan to be an authorized delegate for Amy. 
Dan (now a delegated approver) receives Amy’s tasks when she is unavailable. 


Max engages an unpaid intern, who should not be entered into the HR system. The system 
administrator creates the user record for this intern and requests that he be given access to 
Notes, Active Directory*, and Oracle*. 


How Helpdesk Works? 


Following is an example that explains the flow of helpdesk ticket in the system: 
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Figure 1-4 Example for Helpdesk 


4. Approving the 
request 


Mathew 
(Manager) 
1. Requesting 
TE Ri 3. Reassigning 
Request is the request 
pending 
Amy 
(Approver) 
Yy 
2. Raising a 
Helpdesk Ticket 
> m 
+ 
5. Updates and 
closes the ticket 
Emily Helen 
(End User) (Helpdesk User) 


+ Emily (an end user) has requested for an office printer access. This request was pending for a 


long time. Therefore, she raised a helpdesk ticket. 


+ Helen (a helpdesk user) receives a notification of the helpdesk ticket in her list of tasks. 


+ Helen analyzes the issue and finds out that request is assigned to Amy (an approver). 


+ This request is pending in the system because Amy is out of office. 


+ Helen has a permission to reassign task requests. She reassigns this request to Mathew (Amy’s 


manager). 


+ Mathew reviews the request and approves it. Emily can access the office printer. 


+ Helen updates and closes the helpdesk ticket. 
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Accessing the Identity Applications 


You access the identity applications, such as the Dashboard, in a Web browser. Identity Manager 
supports the most popular browser versions. See your system administrator for a list of supported 
browsers or for help installing one. Your organization should provide you with the URL and 
credentials required to access the applications. 


+ 


+ 


+ 


+ 


+ 


“Considerations for Accessing the Identity Applications” on page 21 
“Logging in the First Time” on page 22 

“Responding to a Preferred Locale Check” on page 23 
“Troubleshooting Login Issues” on page 24 


“Logging Out” on page 24 


Considerations for Accessing the Identity Applications 


Before accessing the Dashboard or any of the other identity applications, review the following 
considerations: 


+ 


+ 


You must enable cookies and enable JavaScript* in your Web browser. 


When using Internet Explorer, you should set at least Medium privacy level. You should also 
select the Every time I visit the webpage option under Tools > Internet Options > General, 
Browsing History > Settings > Check for newer versions of stored pages. If you do not have this 
option selected, some of the buttons may not be displayed properly. 


If you have previously accessed the Identity Manager User Application, you may be able to use 
the same user name and password to access the Dashboard. 


You cannot access the identity applications using an account that includes any of the following 
characters in the name: 


\/, * 2? .$#+ 
If you cannot log in, you can click Forgot password. For more information, see “If You Forget Your 
Password” on page 24. 


If you see a different first page when accessing the Identity Manager user interface, it’s typically 
because the application has been customized for your organization. As you work, you might find 
that other features of the identity applications have also been customized. 


If this is the case, you should check with your system administrator to learn how your 
customized identity applications differ from the default configuration described in this guide. 
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Logging in the First Time 


You must be an authorized user to log in to the identity applications, such as the Dashboard. If you 
need help getting a username and password to supply for the login, see your system administrator. 


The first time that you log in to the identity applications, Identity Manager requires you to establish 
security parameters for your account to help with resetting your password in future. If you forget 
your password and try to reset it next time you log in, Identity Manager prompts these configured 
questions and asks you to specify the correct answer. When the answer matches with the response 
that you save in this page, you can reset the password. 


To set up the security questions during your first log in: 


1 Enter your username and password, then click Login. 
2 The login page automatically redirects you to the Challenge-Response page. 


3 Specify the questions and answers for the Security Questions. 
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Configuration Manager @ Configuration Editor E View Log 


Setup Security Questions 
@ Logout 


In you forget your password, you can access your account by answering your security 
questions. 


Please choose your questions and answers that can be used to verify your identity in 
case you forget your password. Because the answers to these questions can be used to 
access your account, be sure to supply answers that are not easy for others to guess or 
discover. 


Please type your security answers 


— Please select a question item from the list — X 
© 

— Please select a question item from the list — X 
© 

— Please select a question item from the list — X 
© 

— Please select a question item from the list — v 
© 


» Save Answers # Cancel 


4 Click Save Answers, and you are redirected to the Dashboard. 


Responding to a Preferred Locale Check 


If you receive a prompt to select your own preferred locale when you log in, your administrator 
configured the identity applications to perform a language check on users’ browsers. This might be 
necessary to ensure that the content that you see appears in a supported language. 


When prompted to add a locale, open the Available Locales list, select a locale, and click Add. For 
more information, see Adding the New Language to the Identity Applications. 
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Troubleshooting Login Issues 


This section provides solutions to the following types of common login problems: 


+ “If You Forget Your Password” on page 24 
+ “If You Have Trouble Logging In” on page 24 


+ “If You're Prompted for Additional Information” on page 24 


If You Forget Your Password 


If you can’t remember the password, you might be able to use the Forgot Password link for 
assistance. When you are prompted to log in, this link appears on the page by default. You can use 
this link if your system administrator has set up an appropriate password policy for you. 

1 When you're prompted to log in, click the Forgot Password link. 

2 Type your username and click Submit. 


If Identity Manager responds that it can’t find a password policy for you, see your system 
administrator for assistance. 


3 Answer the challenge questions that display. Identity Manager prompts you to answer the 
configured questions. When the answer matches with the response that you had saved earlier, 
you can reset the password. Click Submit. For example: 


Answer the challenge questions to get assistance with your password. Depending on how the 
system administrator has set up your password policy, you could: 


+ Receive an e-mail containing your password about it 


+ Be prompted to reset your password 


If You Have Trouble Logging In 


If you are unable to log in, make sure that you're using the right username and typing the password 
correctly (spelling, uppercase or lowercase letters, etc.). If you still have trouble, consult your system 
administrator. It is helpful if you can provide details about the problem you are having (such as error 
messages). 


If You're Prompted for Additional Information 


You might be prompted for other kinds of information as soon as you log in. It all depends on how 
the system administrator has set up your password policy (if any). For example: 


+ If this is your first login, you are prompted to define your challenge questions and responses 


+ If your password has expired, you are prompted to reset it 


Logging Out 


When you are finished working on the Dashboard and other identity applications, you should log 
out. On the Dashboard, click your username in the upper right corner, then select Sign out. 
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| Customizing Your Dashboard 


The identity applications provide many options to change the display of your Dashboard and then 
save it as a personalized view. For example, you can add widgets and reposition them based on your 
interest. You can also configure the widget fields and personalize them. This document helps you 
understand the different options to personalize your Dashboard. 
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3 Managing Widgets and Layouts 


Widgets are Dashboard objects that are designed to provide specific details to a user for a particular 
activity. For example, the Tasks widget provides details about new tasks, claimed tasks, or the tasks 
that are expected to expire shortly. Similarly, there can be many other widgets which can be 
configured on your Dashboard. 


Administrators who have access to the Settings page can provision widgets for a User, Group, 
Container, or Role from Your ID > Settings > Dashboard Widgets. 


To personalize your Dashboard, go to your Dashboard and click ooo, 


Figure 3-1 Personalize Dashboard 


NetiQ Identity Manager 


Dashboare 


$ Welcome Maria Belafonte 


Tasks i Access Self Requests 
New Tasks Erpue S: Claimed Roles Resource Pending Denied 
2 1 2 N 13 92 ©0 ©2 
Requests For Others Roles y Self tasks 
Pending Denied 
©0 ©0 


Links 


Use the following are options to personalize your Dashboard: 


Figure 3-2 Personalization Options 


+ Widgets 98 Layout @ Cancel [4] Save 


Widgets 
Allows you to add Widgets on your Dashboard. See “Adding a Widget” on page 29. 


Layout 
Allows you to change the Dashboard layout. See “Changing the Dashboard Layout” on page 28. 


Cancel 


Cancels all the changes made to your Dashboard. 
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Save 


Saves your changes and applies to your Dashboard. 


Managing the Global Dashboard 


The Global Dashboard includes a set of widgets that will appear on the Dashboard of every user in 
the system. Users can view these widgets based on their access provisioned by an administrator. The 
Manage Dashboard option allows you to add, modify or remove widgets from the global dashboard. 


NOTE: You should be added as a trustee to use the Manage Dashboard option. 


Figure 3-3 Example of Global Dashboard 


NetIQ Identity Manager Q Sarah Smith 
Dashboard Application Tasks Access x People x Administration 
Welcome Sarah Smith 3 2, O 
Sd 83 Manage Dashboard 


The administrator can add any user, group, container or role as a trustee to manage the global 
dashboard. To modify trustees to manage dashboard, go to YourlD > Settings > Access and click 
Global Dashboard from the list. For more information about modifying configuration access, see 
Managing Dashboard Widgets in NetIQ Identity Manager - Administrator’s Guide to the Identity 
Applications. 


Changing the Dashboard Layout 


The identity applications allow you to modify the layout of the appearance of the widgets on your 
Dashboard. 


1 In Dashboard and click ooo. 
2 Select Layout. 


3 Choose the layout that you wish to see on your dashboard. 
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Figure 3-4 Change Layouts 
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IMPORTANT: To apply your changes, click Save. 


Adding a Widget 


To add new widget to your Dashboard, go to Dashboard and click coe and select Widgets. 


Figure 3-5 Add Widgets 
ADD NEW WIDGET x 


General 


IDM 
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Add General Widgets 


The General category allows you to add widgets to your dashboard outside of Identity Manager 
standard widgets. You can specify the REST API URL of the required widget and display the required 
information in the form of a line, pie, or table charts. 


1 Select any of the following widget types from the list: 


¢ Line Chart: Displays the requested information for the selected element in the form of the 
line chart. 


¢ Links: Allows you to bookmark frequently used links that help you to access them quickly. 


¢ Pie Chart: Displays the requested information for the selected element in the form of the 
pie chart. 


¢ Table: Lists the requested information for the selected element in a table form. 
2 Click +9: to configure the widget added to your dashboard. 
3 (Conditional) For Line Chart, Pie Chart, and Table widgets specify the following details: 
¢ Title: Specifies the widget name that will be displayed on your Dashboard. 


+ URL: Specifies the REST API URL of the required widget that you want to show on your 
Dashboard. 


+ Root Element: Specifies the element from the REST API code for which you want to display 
a chart. This field is case sensitive. You must enter the exact same name which is 
mentioned in the REST API code. 


+ Columns: Specifies the columns that you want to display on your widget. You can add 
multiple columns. Title specifies the display name for a column. Path specifies the column 
name as mentioned in the REST API. Path field is case sensitive. You must enter the exact 
same string from the REST API code. 


The following is a sample REST API code for the Roles page: 


{ 
"total": 12, 


"nextIndex": 0, 
"token": "60045d6be10f4419a2da9fa728683b06", 
"assignments": [ 


"iq" i 
"cn=aaacccc, cn=level30, cn=roledefs, cn=roleconfig, cn=appconfig, cn=user 
application driver, cn=driverset1, o=system", 

"name": "AAAcccc", 

"description": "afasfdsf", 

"entityType": "role", 

"link": "/IDMProv/rest/access/assignments/item", 

"bulkRemovable": "true", 

"categories": [ 


"categoryId": "default", 
"categoryName": "Default" 
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In this sample, assignments is the Root element and name is the selected column to display 
that will be displayed on the widget. You can also bookmark any URL that you wish to access 
from your Dashboard 


4 (Conditional) For Links widgets, specify the Title for the links and add links that you wish to 
access from the Dashboard. 


5 Click Save to apply your changes. 
The following are the sample chart and link widgets that can be added to your Dashboard: 


Figure 3-6 Example for General Widgets 


General 
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Add Identity Manager Widgets 


The IDM category allows you to add standard Identity Manager widgets to your Dashboard. 
For example, 


+ Access: Displays the count of roles and resources, and other information about them. 


+ Request For Others: Displays the count of pending and denied requests of other users and 
allow you to create a request for these users. 


+ Self Requests: Displays the count of pending and denied requests count and also allow you to 
create a new request. 


+ Tasks: Displays the count of new, pending tasks, or the tasks that are about to expire. 


To configure these widgets, see “Configuring a Widget” on page 33. 
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IMPORTANT: To apply your changes, click Save. 


Add Identity Governance Widgets 


To use Identity Governance widgets, you must install and configure Identity Governance with 
Identity Manager Dashboard. 


IG category allows you to add standard Identity Governance widgets to your Dashboard. For 
example: 


Fulfillment Tasks 


Displays the count of access requests, business roles, and permission assignment errors in the 
system. 


Review Tasks 


Displays the count of pending and completed reviews in the system. 


SoD Violations 


Displays the count of not reviewed, approved, or resolving SoD violations in the system. 


Widget Options 
You can perform the following operations on widgets: 


Refresh Configure Collapse 


© t SAJ 


Reposition Remove Open Widget 
Full-screen 


Refresh 

Updates the widget content with the latest information. 
Reposition 

Allows you to move the widget across Dashboard. 
Configure 


Allows you to configure the widget properties. For more information, see “Configuring a 
Widget” on page 33. 


Remove 


Deletes the widget from the Dashboard. 


Collapse 


Hides the widget information and shows only the widget title. 
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Open Widget Full-screen 


Displays the widget information in full-screen mode. 


NOTE: +Refresh and Open Widget Full-screen options are displayed only for the widgets that belong 
to General category. 


+ To apply your changes, click Save. 


Configuring a Widget 


You can configure each widget that is added to your Dashboard. For example, you can enable or 
disable the fields of a widget or change the display color of the fields. 

1 Click (2; on the widget that you wish to configure. 

2 Modify the widget properties. 


For example, you can change the title of a widget, or change the color of a label for a widget 
field. You can also enable or disable a widget field in the properties page. 


3 Click Apply to view the changes on the dashboard. 
For example, you can modify the task widget as shown below: 


Figure 3-7 Example for Widget Configuration 


TASKS 
Title 
Tasks 
New Tasks a | i 
Expiry Soon aq E v 
Claimed aq E v 
Delegated Tasks w v 
Reassigned Tasks m v 
Apply Cancel 


Click Apply to view the changes on the Dashboard. 
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Tasks EN, 


New Tasks Expire Soon Claimed 


0 0 0 


Total Tasks: O 


To configure General widgets, modify the options that are displayed while adding widgets. See “Add 
General Widgets” on page 30. 


IMPORTANT: To apply your changes, click Save. 
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Managing Your Permissions and 
Identity Profile 


Identity Manager Dashboard helps you request access to the resources and roles that you need to 
complete your daily tasks. You can also act on any tasks assigned to you in the Identity Manager 
environment, such as approving requests for access. Owners of resources and roles can manage the 
process. 


When you request a permission, Identity Manager initiates a process to efficiently review your 
request so you can have the role or resource that you need. Your manager receives a notification 
either in email or on the Dashboard to review your request. In some cases, your request might also 
be approved by other individuals in your organization. 


Some users can also make requests on behalf of others or act as a proxy for another user. 


+ Chapter 4, “Managing Your Permission Requests,” on page 37 
+ Chapter 5, “Managing Applications,” on page 45 

+ Chapter 6, “Managing Your Tasks,” on page 49 

+ Chapter 7, “Acting on Behalf of Someone Else,” on page 53 

+ Chapter 8, “Managing Delegations,” on page 55 

+ Chapter 9, “Managing Your Availability,” on page 57 

+ Chapter 10, “Managing Your Profile,” on page 59 

+ Chapter 11, “Managing the Organization Chart,” on page 61 
+ Chapter 12, “Managing Your Password,” on page 69 
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A Managing Your Permission Requests 


This section provides guidance for the following activities: 


+ “Viewing Your Permissions” on page 37 
+ “Requesting Permissions” on page 39 

+ “Viewing Requests” on page 41 

+ “Revoking Permissions” on page 42 


+ “Deep Linking to a Request” on page 44 


You can also review @) information on the Dashboard for these activities. 


Viewing Your Permissions 


Permissions represent the accounts, roles, or resources that are available to you. Permissions may 
be assigned automatically to you by your organization or you can request for specific permissions. 
You can also inherit some permissions indirectly through role relationships or if you are a member of 
a group or a container. To view the roles and resources to which you have access to, navigate to 
Access > Permissions on the Dashboard. 


NOTE: By default, the Permissions page lists the permissions that are assigned or approved to you 
directly. However, it may vary depending on how the administrator has configured the settings for 
the page. For more information, see User Settings in the Net/Q Identity Manager - Administrator’s 
Guide to the Identity Applications. 


To see the child permissions mapped with the assigned or approved permissions, click 


To search for a specific permission from the list, type the name, description, or CN of the permission 
in the Search box. You can also filter the list. 


Viewing the Permission Details 


Select the permission for which you want to view more details. The following table lists the fields 
displayed for individual permission: 


Table 4-1 Permission fields and its description 


Fields Description 
Description The description of the role or resource. 
Effective Date The date and time of permission assignment. 
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Fields Description 


Expiration Date The date after which the permission will no longer be 
assigned to the user. It is only displayed for the 
permission that have the expiration option enabled. 


Reason Specifies the reason for assigning the permission to 
the user. 
Assigned Permission via Specifies who assigned the permission to the user. 


If a role is assigned to the user directly through an 
approval process, you can see the list of approver(s) 
who approved the assignment request under the 
View Role Approval Information option. 


If a role is inherited by the user through membership 
to a group or a container, the following details are 
displayed under the View Role to Group Assignment 
Information option: 


+ Requested by: Specifies who requested the 
permission. 


+ Request Description: The description provided 
while requesting the permission. 


+ Approver details: Click the link to see the list of 
approver(s) who approved the role assignment 
request. 


If you are an identity applications Administrator, you can see the permissions of other team 
members in the Others tab. Go to the Others tab and search by user name or permission details. 


+ Searching by User will list all the assigned permissions of that user. You can then select a specific 
permission to review the details such as the date assigned, who assigned the permission, and if 
any reason has been provided for the permission assignment. For more information, see the 
Table 4-1 on page 37. 


+ Searching by Permission will list all users, individual as well those present in a group or 
container, who are assigned to that permission. 


NOTE: Searching by permission details is not supported for a team manager or supervisor user. 
However, they can see the permissions of their team members by searching for their team name or 
description. In addition, a search by user name is also provided on the page to allow searching and 
viewing permissions of a specific team member. 


For more information, click @ on the Dashboard. 
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Requesting Permissions 


To request roles and resources, click Access > Requests 
Before requesting permissions, review the following considerations: 


+ You might be able to request access on behalf of another user. For example, if you are a team 
manager, you usually can act on behalf of team members. The process is the same, except you 
must specify that the request is for Others instead of Self. 


+ Do not use punctuation when specifying a permission that you want to request. If the name of 
the permission you want to request includes punctuation, omit the punctuation when 
searching. 


¢ Different permissions require different information, depending on how the administrator has 
configured the permission form. If the permission requires detailed information, the Dashboard 
redirects you to a separate window when you select the permission. 


+ You can request multiple permissions at the same time. 


However, if the permission form for one of the requests requires special types of information, 
you might not be able to include that permission in a multi-permission request. To request 
multiple permissions at once, the request forms for the various requests cannot require 
detailed information. 


+ You can specify the expiry date while requesting for a resource or a role. 


When you request a permission, you must specify a reason for the request. You can also specify the 
date that you need the permission to begin or expire. 


You can request permissions in the following ways: 


+ Select one of the Featured Items. You cannot make this request on behalf of another person. 


NOTE: By default, Helpdesk Ticket permission appears in the Featured Items category. You can 
raise a helpdesk ticket using this permission. 


+ Request several permissions at once. 
+ Request a permission that is not among the Featured Items. 


+ Perform the request on behalf of someone else. 
To request only Identity Manager permissions: 


1 (Conditional) To choose a permission from Featured Items category, select the permission. 


2 (Conditional) To choose a non-featured request or to request several permissions, complete the 
following steps: 


2a Select New Request. 


2b (Conditional) To request access on behalf of other individuals, select Others, then specify 
the individual(s). 


NOTE: As a team manager if you request permissions on behalf of other team members, 
you cannot individually select requesters from a group that is included in the team's 
recipients list. The Users tab in the Recipients field will display the logged-in team manager 
and other user recipients in the team. 
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2c For Permissions, type the name or description matching the permission. 


NOTE: To raise a helpdesk ticket, search Helpdesk Ticket in the Permissions list. 


2d In the displayed list, select the permission(s) that you want. 
3 Specify a reason for the request. 


4 (Conditional) If you are requesting a role permission, specify the Effective Date and Expiration 
Date for the permission. 


5 (Conditional) If you are requesting a resource permission, specify the Expiration Date for the 
permission. 


NOTE: You can specify the Expiration Date only for the resources that have enabled expiration 
option. Administrators can enable expiration for the resources. 


6 (Conditional) If required, specify additional information related to the request: 
Secondary forms 


Some permissions might have secondary forms that you must complete as part of the 
request. For example, when requesting a laptop computer, you might need to specify the 
default operating system or graphics requirements. 


Justification for conflicting roles 


Your organization might have two or more roles that could create security problems when 
assigned to the same individual. If these types of roles exist, administrators create a 
separation of duties (SoD) rule to constrain users from gaining access. When a user 
requests one of these roles while already having a conflicting role or requests two or more 
conflicting roles, the identity applications respond according to the SoD policies. 


Conflicting roles when User is the Recipients If you request for or assign one or more 
conflicting roles to a user recipients, the application displays an SoD warning. To override 
the SOD constraint, you must provide the reason for making an exception in the 
Justification field. 


Conflicting roles when Groups and/or Containers are the Recipients If you request for or 
assign one or more conflicting roles to groups and/or container recipients, the application 
displays a warning with a list of failed roles and SoDs conflicts. A modal window is also 
displayed that provides you the following information: 


¢ Recipients: Select the group or container from the list to view its affected users that 
are violating the SoD. 


+ Select SoD to view details: Select the SoD from the list to view the conflicting roles 
and the affected users. Selection is allowed when the request is violating more than 
one SoD. 


+ Conflicting Role 1 and Conflicting Role 2: Displays the roles violating the selected 
SoD. 


¢ Affected Users: Displays a list of affected user(s) based on the selected recipients and 
SoD. 


+ Remove: Click to remove the selected recipient from the modal window. 


+ Reset: Click to reset the original list of conflicts displayed in the modal window. 
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+ Done: Click to confirm the removal of the selected recipient from the modal window. 


7 Select Request. 


To request Identity Governance Permissions: 


Applies only on two conditions namely, when you have enabled the Show IG Catalog in request page 
option in the Configuration > Identity Governance page and when you request permission for Self. 


+ IDM Catalogs: Lists all the available Identity Manager roles, resources, and workflows. 


+ IG Applications: Lists all the applications collected in the Identity Governance. You can then 
select the permissions associated with the selected application. 


+ IG Technical Roles: Lists all the technical roles of the Identity Governance. Select the IG roles 
that you want to request for and specify a reason for requesting the role. 


For more information, click @ on the Dashboard. 


Viewing Requests 
To view the status of a request in progress and completed requests, in the Dashboard select: 
Access > Request History 
A team manager or supervisor can see the request history of other team members in the Others tab. 
You can also raise a Helpdesk ticket for your pending requests. 


+ “Tracking a Request” on page 41 
+ “Canceling a Request” on page 42 


+ “Raising a Helpdesk Ticket” on page 42 


For more information, click @ on the Dashboard. 


Tracking a Request 


For each request, you can view not only your actions but also the workflow involved in approving or 
denying your request. Each step in the process has a timestamp. 


NOTE: If you request for applications or technical roles from the IG Applications or IG Technical Roles 
tabs, such requests cannot be tracked through the Request History page. To track the IG requests, 
you can add the IG history URL from the Applications page of the Dashboard. 


To track a pending request, select the request, then change the upper-right menu to User and 
System. The Dashboard shows the current state of the request in the approval process. 


Managing Your Permission Requests 41 


42 


Figure 4-1 Tracking a Request 


@ Laptop x 


Status Approval pending Comments User Y 


Recipient Aaron Washington Feb 23, 2018 


Request date Feb 23, 2018 9:45 AM 
© User task assigned to reviewer Aaliyah Hall 


Confirmation Number 


© 


Cancel this request Close 


Canceling a Request 


You can cancel a pending request from Request History. Select the request in the list, then select 
Cancel this request on the subsequent window. 


Raising a Helpdesk Ticket 


You can contact the Helpdesk if you are seeking help for any unattended requests for a long time. 
You can raise a Helpdesk ticket in the following places: 


+ Access > Request, click Helpdesk Ticket. 
¢ Applications, click Helpdesk Ticket. 


+ Access > Request History, click É on the request that you want to raise a helpdesk ticket. 
For more information, click @ on the Dashboard. 


Helpdesk members receive a notification about the helpdesk ticket. You will get the notification on 
your ticket, once the ticket is resolved or closed. 


Revoking Permissions 


If you no longer need access to a role or a resource, you can revoke the permission to that role or 
resource. To revoke a permission, navigate to Access > Permissions and select the required 
permission and specify a reason for revoking the permission. 


You can also revoke a permission on behalf of other users. For example, if your team member has 
moved from Department 1 to Department 2, and the team member does not need access to a 
particular resource any longer, Identity Manager provides the facility to revoke the permission for 
that user. To revoke a permission, select Others and remove the permission. You can revoke multiple 
permissions at one time.You can add these permission to a queue for reviewing them before 
deciding to revoke them. 
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Only the administrator and a team manager can revoke permissions for other users. An 
administrator can revoke permissions for any user in the organization while a team manager can 
revoke permissions only for his team members. 


You can revoke permissions for other users through the following ways: 


Revoke Permissions Y 


By Permission 


+ Search by user: Allows you to search for a user and revoke permissions for that user. You can 
directly revoke a permission for the user or add the permission to a queue. A queue is a 
persistent work area where you can temporarily store permissions that you can review and 
revoke if required. You can then search for other permissions that you want to revoke for that 
user and add them to the queue. This allows you to revoke all permissions at one time. 


+ Search by permissions: Allows you to search for a specific permission. If you select a 
permission, it will list all the users who have that permission. You can directly revoke the 
permission for the selected user or add this permission to a queue and revoke that permission 
for multiple users at one time. 


Team Manager: If you are a team manager, you can revoke permissions of your team members in 
the Others tab. Ensure you have required permissions to revoke others permissions. 


Administrator: If you are an administrator, you can add revoke permissions for a team manager. For 
example, if you want to add revoke a role from a user permission for a team manager. Go to People > 
Teams, edit the team permissions to enable revoke permissions for a team manager. 


Figure 4-2 Example to Add Revoke Permission for a Team Manager 


Add Roles 


This option allows the team manager to revoke the selected role from the team members. 


NOTE: If you revoke a permission, your permissions list might not immediately reflect the change. 
This may be because the permission is associated with a revoke process which can take time. Refresh 
the list to view the changes. 


For more information, click @ on the Dashboard. 
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Deep Linking to a Request 


Identity applications lets you to deep link to a specific process request (also known as a provisioning 
request). This feature gives a manager the ability to send a specific process request URL to an 
employee, so this employee can request the process quickly without having to go through the 
Identity Manager Dashboard. When you deep link to a process request, the request form is displayed 
in the body of the page, along with the header for the Identity Applications. 


Once a permission is requested, the request appears in the Access > Request History page of the 
requester and also appears on the Tasks page of the reviewer. 


The URL used for deep linking to a process request uses the following format: 
+ For legacy forms, 


https://<server:port>/IDMProv/ 
requestForm.do?uid=<PRD_ID>&aqua=true&idmdash=true&recipient=<recipien 
t>&jsa=<operation_type> 


Here’s an example that shows what the URL one might use to deep link to a provisioning 
request definition: 


https://testserver :8543/IDMProv/requestForm.do?uid=cn=request mobile 
approval app, cn=requestdefs,cn=appconfig,cn=user application 
driver,cn=driverset1, o=system&aqua=strue&idmdash=true&recipient=&jsa=%7 
B%22submit%22%3A%22submit ThenOpener%283000%29%22%2C%22cancel%22%3A%22w 
indow.close%28%29%22%7D 


+ For the new JSON forms, 


https://<server: form_renderer_port>/forms/#/form/ 
details?id=<formID>&recipient=<recipient>&pid=<workflowID>&sid=IDM&uri 
=<forms_uri>&formContainer=RequestForms&locale=<language> 


Here’s an example that shows what the URL one might use to deep link to a provisioning 
request definition: 


https: //testserver :18600/forms/#/form/details?id=cn%3DHelp - 
desk%20Request%20Form, cn%3DWorkflowForms, cn%3Dappconfig, cn%3DUser%20Ap 
plication%20Driver, cn%3Ddriverset1, 0%3Dsystem&recipient=&pid=cn%3Dhelp 
deskticket, cn%3Drequestdefs, cn%3Dappconfig, cn%3Duser%20application%20d 
river, cn%3Ddriverset1, 0%3Dsystem&sid=IDM&uri=%2Frest%2Faccess%2Fforms& 
formContainer=RequestForms&locale=en 


Managing Your Permission Requests 


5 Managing Applications 


As an administrator for the identity applications, you can modify the Applications page to display all 
the applications, activities, and permissions that you want users to access. By default, the identity 
applications provide a Home items category, which cannot be deleted. 


After you complete your changes, click Editing done to return to Applications. 


Creating Featured Items 


You can create any number of applications and permissions that you might want to add to the 
Applications page. You do not have to add these items to Home items or other Applications 
categories. 


1 (Conditional) To create a new item, click + on Applications or Permissions tab. 


2 Complete the form for an application or a permission. See “Adding an Application” on page 45 
or “Adding a Permission” on page 46. 


NOTE: You must specify a value for all fields that have an asterisk (*), such as the name and 
description for an application. 


3 (Optional) Drag and drop the new application or permission to a category. 


4 (Conditional) To modify an existing item, select the edit icon within the tile, then update the 
values. 


Adding an Application 


To add an application, specify the following details: 


(Conditional) Add to Category 


Specifies the category for this application. 
Name 

Specifies the name of the application. 
Description 

Specifies the nature of the application. 
(Optional) Image 

Specifies a logo or image for an application. 
Link 


Specifies a link for this application. See “Deep Linking to a Request” on page 44. 
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(Optional) API URL 


Specifies the URL of the REST endpoint with JSON data that provides extra details, such as the 
value of parameters and a badge. Refer documentation for more details. 


Adding a Permission 


To add a permission, specify the following details: 


Permissions 


Specifies the permission. This can be a role, resource, or PRD. 


(Conditional) Add to Category 
Specifies the category for this application. 
(Optional) Image 


Specifies a logo or image for an application. 


Add, Modify, or Delete a Category 


You can organize Applications items into logical categories. You can create any number of categories 
that your organization might need. You can also rearrange the tiles within a category or move tiles to 
a different category. 


Add a Category 


1 Select New Category. 


Identity Manager adds the category at the end of the category groups. You might need to scroll 
down to view the added category. 


2 Specify the name of the new category. 
3 Click +, then select Application or Permission. 


4 Complete the form for the application or permission. 


NOTE: You must specify a value for all fields that have an asterisk (*), such as the name and 
description for an application. 


5 Select +Add. 


Modify a Category 
You can modify a category in the following ways: 


+ Add tiles for applications and permissions by dragging and dropping them from the New Items 
and Permissions section on the right side of the page 
+ Remove an application or permission by selecting the trash icon within the item’s tile 


+ Change the settings for an item 
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+ Change the name of the category 


+ Reorder the items within the category 


Delete a Category 


To delete a category, select the trash icon to the right of the category’s name. 
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6 Managing Your Tasks 


If you are responsible for approving or denying requested permissions in Identity Manager, you can 
use the Dashboard to manage your tasks as you might have previously done in the User Application. 
You can approve or deny requests one at a time, or you can approve or deny multiple simple 
requests that do not require detailed information in bulk. 


To review pending requests, click Tasks. 


Alternatively, you might receive an email notification with a link that allows you to approve or reject 
a request in a response email. 


Before acting on user requests, review the following considerations: 


+ You can multi-select tasks for a batch approval/denial. 


+ Fora more complex request that requires detailed information, the Dashboard does not display 
a check box. You must approve or deny those requests by selecting each request and 
completing the forms. 


+ When you select a more complex request to approve or deny, the Dashboard might need to 
open the request form in a separate browser tab. 


+ In general, you must provide a comment explaining why you want to approve or deny the 
selected tasks. 


Viewing your Tasks 


To manage your tasks, select Tasks. To view tasks assigned to others, click Others. 


If you are serving as a proxy or delegate for others tasks, you can complete tasks that are assigned to 
someone else. For more information about proxy assignments and delegation assignments, see 
Acting as a Proxy. 


IDM Approvals: Applies if you have enabled the Show IG Approvals in tasks page option in the 
Configuration > Identity Governance page. 


This tab lists all the Identity Manager tasks. By default, it lists all the Self tasks. To view others tasks 
with an appropriate role, click Others. 


+ You can search your tasks using Reassigned Tasks, Returned Tasks, or Delegated Tasks filters. 
Using Delegated Tasks filter for the Self option displays only the tasks that are delegated to you. 
+ If you are an administrator, you can also filter tasks using Assigned to me, Recipient as me filter. 


+ If you are searching others tasks you can use Returned Tasks, Reassigned Tasks, or Delegated 
Tasks filter. Using Delegated tasks filter for Others shows all the tasks that are delegated to other 
users in the system. 


+ You can also refine your task search based on tasks occurred in the system: 


1. Select \. 
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2. (Conditional) To see the tasks created for a certain period, specify the period in Weeks, 
Days, or Hours. 


3. (Conditional) Specify the task status that you wish to filter. 
4. Click Filter. 
+ If you are a helpdesk user, you can use Helpdesk Tasks filter to see the refined list. To manage 
helpdesk task, see the Dashboard help. 


At times, you might have to approve requested items if the Access Request policy specifies you as an 
approver for requests. These approval requested items are listed in the Approvals tab. 


IG Approvals: Applies if you have enabled the Show IG Approvals in tasks page option in the 
Configuration > Identity Governance page. 


This tab lists all the pending approval tasks for Identity Governance. You can reassign the tasks to 
others using the Reassign option. 


Managing Requests for Approval or Denial 


In some organizations, a group of people might be responsible for reviewing, approving, and denying 
requests for access. When this occurs, each member of the group receives the same requests. For 
example, the IT Services team might be responsible for all requests for telecommunications and 
computing equipment. When a new employee requests a cellphone, the request gets assigned to all 
members of the IT Services team. Anyone on the team can complete the request. 


You can perform any of the following tasks on the request: 


Claim Request 


You can claim responsibility for a request and act on the required task immediately or later. 
Regardless of when you act on the task, other members of your group can no longer see that request 
in their Tasks. 


Release Request 


If you do not want to act on the request that you have claimed, you can release that request. 


Reassign Request 


A task that is assigned to you can be reassigned to other user in the organization. The following 
considerations apply to reassigning tasks: 


+ If you are unable to complete the task, you can reassign it to your manager. Select the request 
under the Self tab and then select Reassign. The task is automatically reassigned to your 
manager. 


+ If you are a team manager, you can reassign the team tasks including yours to other team 
members through the Others tab. Go to Others tab, select the required request check box and 
click Reassign. From the Assign to drop-down menu, select the team member whom you want 
to reassign the task, provide a comment for reassignment, and click Reassign. The task is 
reassigned to the selected team member. 
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+ If you have not acted on the task in the specified time frame, the following actions can occur: 


+ An administrator can reassign the task to another user. An administrator has a permission 
to reassign a task to any user in the organization. 


+ Team Manager can reassign the task to another member in the team. Ensure that team 
manager is enabled with Manage Addressee Task permission at the time of team creation. 


This applies only when Members option is used to add members to the team at the time of 
team creation. For more information, see “Create a Team” on page 82 


NOTE: If you use All Users or Relationship option to create a team, the team manager 
cannot reassign the tasks to another member in the team. 


+ The Helpdesk user can reassign the task to your manager up to the hierarchy level defined 
in the Settings page. Administrator configures the manager hierarchy. 


If a task is reassigned to you and you are unable to take it, you can return the task to the user who 
assigned the task to you. 


Return Request 


If you do not want to act on a request that is reassigned to you, you can return that request. The 
identity applications automatically assigns the returned task back to the actual approver. 


NOTE: Only a reassigned request can be returned. 


For more information, click @ on the Dashboard. 


Managing Helpdesk Tasks 


Helpdesk tasks are generated for every helpdesk ticket raised in the system. According to example in 
“How Helpdesk Works?” on page 18, Emily’s ticket creates a helpdesk task in Helen’s Tasks page. 
Helen can take appropriate actions for this helpdesk task. 


If you are a helpdesk user, select the Helpdesk Ticket that requires your action. Perform any of the 
following actions on the selected helpdesk ticket: 


Update 
Updates the helpdesk ticket with an appropriate comment. 
Complete 


Completes the helpdesk ticket enclosed with your resolution comment. 


Cancel 


Closes the helpdesk ticket with an appropriate comment. 


NOTE: You can Claim or Release a helpdesk task. If you claim a helpdesk ticket from the list of tasks, 
helpdesk ticket appears in your Self tasks. 


For more information, click @ on the Dashboard. 
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Acting on Behalf of Someone Else 


In some organizations, you might be allowed to complete tasks as a proxy, or delegate, for someone 
else. For example, a personal assistant might perform proxy actions for the boss. Also, while a 
coworker is on maternity leave, you might temporarily be assigned to act on her behalf. 


+ “Viewing Your Proxy Assignments” on page 53 
+ “Acting as a Proxy” on page 53 


+ “Managing Proxy Assignments” on page 53 


For more information, click @ on the Dashboard. 


Viewing Your Proxy Assignments 


To view your proxy assignments, in the Dashboard select: 


Access > Proxy Assignments 


Acting as a Proxy 


An administrator might assign you to serve as a proxy for another user. When this occurs, the 
application adds a proxy option to your account menu in the upper right corner. 


Your ID > Proxy As 


For example, Sarah Smith manages Customer Relations. The identity applications includes a 
Customer Relations team with Sarah Smith as the Team Manager. She can act on behalf of Maria 
Belafonte who is a member of her team. In the Dashboard, she selects ssmith > Proxy As, then 
specifies mbelafonte. 


Managing Proxy Assignments 


As an administrator or a team manager, you can create, modify, and delete an assignment. For a 
team manager to manage proxy assignments for a team, you must configure the team appropriately. 
The team manager can create assignments for team members only. 
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Q Managing Delegations 


In some organizations, delegating tasks to another user is allowed. If you are a delegate for other’s 
tasks or your tasks are delegated to other users in the organization, you can see the delegation 
information in Administration > Delegation. 


You can see the delegated tasks in the Tasks page. The tasks with / +. icon indicates that task is 
delegated. 


IMPORTANT: Creating delegation assignment also requires you to specify your availability details. 
You can either provide your availability details while creating the delegation assignment or create 
delegation and then specify availability details in a separate action. This depends on whether the 
administrator has enabled the required settings, in which case you see the Unavailable From option 
in the Create Delegate Assignment page. However, if you are unable to see the Unavailable From 
option, you must specify your availability details from the Availability Settings page after creating the 
delegation assignment. This ensures that the delegation functions as expected. For more 


information, click @ on the Dashboard. 
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Managing Your Availability 


You can specify which resource requests with a delegate assignment you are unavailable to work on 
during a particular time period. During the time period when you are unavailable for a particular 
request, the user delegated to act on that request can work on it. 


To view your availability, in the Dashboard select 
People > Availability 


Before using the Unavailable From action, you need to have at least one delegate assignment to work 
on. You need to have your team manager (or the Provisioning Application Administrator) create 
delegate assignments for you. 


The global settings pertaining to availability-based delegation are specified by Set Availability while 
creating a Delegation Assignment in Settings > Customization > Navigation Items > General. If you 
prefer not to specify your availability for each request definition individually, you can use the Not 
Available for All Requests from Change Status action. 


For more information, click @ on the Dashboard. 
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0 Managing Your Profile 


The identity applications give you a convenient way to display and work with your identity 
information. They also enable your organization to be more responsive by giving you access to the 
information about other users that you need whenever you need it. For example, you might want to: 
+ Manage your own user account directly 
+ Look up other users and groups in the organization on demand 
+ Visualize how those users and groups are related 
¢ List applications with which you are associated 
Your system administrator is responsible for setting up the contents of the identity applications for 


you and the others in your organization. What you can see and do is typically determined by your job 
requirements and your level of authority. 


Updating Your Profile 


To view or update your identity profile, in the Dashboard select: 
[your ID] > My Profile 


Or, 


Click ©. on your dashboard. 


This page lists your reporting manager, roles, resources, and group. You should have administrator 
access to edit your information or to view your organization chart. 


Your profile includes settings such as your name, email address, and phone number. This page 
displays the user attributes that are enabled with Search and Read accesses, these access properties 
can be configured in Directory Abstraction Layer (DAL). For more information, see Attribute 
Properties in the Net/Q Identity Manager - Administrator’s Guide to Designing the Identity 
Applications. Your organization determines which settings you can modify. For example, you might 
be able to change your phone number but not your last name. 
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Managing the Organization Chart 


The Identity Manager Dashboard gives you a convenient way to search for an entity in your 
organization and view its organization chart (an entity can be a user, group, or custom entity defined 
by your administrator). An organization chart shows the hierarchy of relationships, such as Manager- 
Employee, Group’s membership, or User groups among entities in your organization. 


By default, the Organization Chart page in the Dashboard shows the placement of a user entity 
within the organization and its relationship hierarchy with other user entities based on the 
organization chart relationship set by the administrator. For more information on default settings for 
organization chart page, see Customizing the Views in Net/Q Identity Manager - Administrator’s 
Guide to the Identity Applications. For more information on how to view organization chart of 
entities other than user entity, see Viewing the Organization Chart of an Object in the Net/Q Identity 
Manager - Administrator’s Guide to the Identity Applications. 


The organization chart is often referred as “org chart”. You may find both these terminologies used in 
the Dashboard. 


Viewing an Organization Chart 
By default, Security Administrator and Provisioning Administrator can view the organization chart for 
all the entities in the system. 


You can navigate to the organization chart of user entity in one of the following ways: 


+ Go to People > Organization Chart, this page displays organization chart of the logged-in user 
based on the default organization chart relationship configured in the Settings page. You can 


also view the organization chart using E icon provided on My Profile, Dashboard, and 
Applications pages. 
To find the organization chart of other users in the system, type the name of other users in the 


search bar provided in the Organization Chart page. 


; ; o A z 
Go to People > Users and select any user from the list and click 45 that is beside the user name. 
For more information, see Chapter 13, “Managing Users,” on page 77. 


+ 


NOTE: You should have Org Chart access to view the Organization Chart. Contact your administrator 
to provide this access. For more information, see Managing User Access in NetIQ Identity Manager - 
Administrator’s Guide to the Identity Applications. 
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Understanding the Organization Chart 


Organization chart displays the entity information in a card format. These cards are arranged ina 
hierarchical order based on the default organization chart relationship configured by your 
administrator. A root or selected entity that is displayed on the top is the starting point or 
orientation point in the organization chart and the child entity directly under the root entity is 
displayed at the bottom based on the default relationship. 


Each card displays information based on the primary and secondary attributes defined by your 
administrator. For more information on how these attributes can be customized, see Customizing 
the Organization Chart View in NetIQ Identity Manager - Administrator’s Guide to the Identity 
Applications. For a user entity specifically, the card is set to display the full name of the user in 
addition to the primary and secondary attributes defined by the administrator. As a result, when the 
administrator configures the first name and last name as primary attributes, the full name of the 
user may appear twice in the Card View on the Users page and in the organization chart. 


NOTE: In the organization chart view, if the primary and secondary attributes of an entity are not 
defined by the administrator, then the Identity Applications display the CN attribute of that entity in 
the Organization Chart page. 


Figure 11-1 shows an example of organization chart for the user Margo Mackenzie where the default 
organization chart relationship is set to Manager-Employee. 


Figure 11-1 Example of the organization chart on the Dashboard 
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In this example, Margo Mackenzie is the manager, and Maria Belafonte, Kevin Chester, and Allison 
Blake are employees who report to her. Each card is displaying the user's full name on top, which in 
Margo's case is Margo Mackenzie, followed by the role in the organization and email address that 
are set as primary and secondary attributes by the administrator. The count at the bottom-right 
corner of Margo Mackenzie’s card signifies the number of employees who report to her. 
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Working with the Organization Chart 


Based on the search input entered in the Organization Chart page, the Dashboard displays the 
organization chart of the entity. You can perform other tasks on the page such as view other 
relationships of the entity, change the root entity and view its organization chart, or view the 
organization chart of an entity at next level in the relationship hierarchy. 


To understand more about the tasks that you can perform in the Organization Chart page, let us 
consider the following example of a marketing team in the XYZ company: 


Margo Mackenzie is the Director in marketing team where Allison Blake, Kevin Chester, and Maria 
Belafonte are employees who report to her. Margo Mackenzie reports to Timothy Swan, the Vice 
President of the Marketing team. 


Go to People > Organization Chart in the Dashboard and search for Timothy Swan to view his 
organization chart. Similarly, perform a search for Margo Mackenzie. Figure 11-2 and Figure 11-3 
shows you their individual organization chart based on the Manager-Employee relationship. 


Figure 11-2 Organization chart of Timothy Swan in the role of Manager. 
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Figure 11-3 Organization chart of Margo Mackenzie in the role of Manager. 
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Let us look at the tasks that you can perform in the Organization Chart page based on the above 
example: 

+ “Reset the Root in the Organization Chart View” on page 64 

+ “Switch the Organization Chart view” on page 64 

+ “Choose a Relationship to View” on page 65 

+ “Navigate to the Next Level in Relationship Hierarchy” on page 66 

+ “Send Email to Users from the Organization Chart” on page 67 


+ “View Detailed Information of a User” on page 67 


NOTE: The above tasks are applicable to both user and custom entities. 


Reset the Root in the Organization Chart View 


To reset the root user in your organization chart view, 


1 Identify the user that you want to make as the new root. 
Suppose you are viewing the organization chart where Timothy Swan is in the role of Manager 
and you want Margo Mackenzie as the new root. 


2 Goto Margo Mackenzie’s card and click ar icon. She becomes the new root and is now at the 
top in the Manager-Employee organization chart. The employees who reports to Margo 
Mackenzie namely Maria Belafonte, Kevin Chester, and Allison Blake are listed under her. 


Figure 11-4 Margo Mackenzie as new root in the organization chart view 
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Switch the Organization Chart view 


To reset the root user and the default relationship in your organization chart view, perform the 
following actions: 


1 Identify the user whose organization chart you want to view. 
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Suppose you are viewing the organization chart where Margo Mackenzie is in the role of 
Manager. Maria Belafonte, the employee under Margo Mackenzie is also a mentor to Kevin 
Chester and Allison Blake. You want to view the Mentor-Employee relationship of Maria 
Belafonte. 


oO 
2 Goto Maria Belafonte’s card and click 55. 


3 From the drop-down menu, select the relationship as Mentor-Employee. Maria Belafonte 
becomes the root of the Mentor-Employee organization chart and Kevin Chester and Allison 
Blake are listed as employee under her. 


Figure 11-5 Organization chart of Maria Belfonte in the role of Mentor 
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Choose a Relationship to View 


To view relationships of a user other than the default, perform the following actions: 


1 Identify the user whose relationship you want to view. 


Suppose you are viewing the organization chart where Margo Mackenzie is in the role of 
Manager. You want to view the user group relationship of Maria Belafonte who is a part of 
Marketing group. 


2 Goto Maria Belafonte’s card and click Ly, 


3 From the drop-down menu, select the relationship as User groups. Maria Belafonte’s group 
membership chart is added inline in the existing organization chart view. 


NOTE: The maximum level to which you can expand the organization chart of a user and view the 
relationships inline is defined by the administrator. By default, you can expand up to level 3, wherein 
level 1 is always assigned to the root user. 
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Navigate to the Next Level in Relationship Hierarchy 


To understand this task, let us consider second example of Edward Miller who is the Director in sales 
team. Allison Blake and Filla Martell are the direct reports to Edward Miller. As you can see, Allison 
Blake is a common member of sales and marketing team and reports to two managers, namely 
Edward Miller and Margo Mackenzie. 


To navigate and expand to the next level in the relationship tree, perform the following actions: 


1 Identify the user for which you want to view and navigate to the next level in the hierarchy. 
Suppose you are viewing the organization chart where Margo Mackenzie is in the role of 
Manager and you want to view the organization chart of Allison Blake. 


2 Goto Allison Blake’s card, click L and select the recursive Manager-Employee relationship from 
the list. 


3 Click T. 


In the Manager-Employee drop-down menu, the employee Allison Blake displays two managers 
namely Margo Mackenzie and Edward Miller whom she reports to. 


Figure 11-6 Recursive Manager-Employee relationship of Allison Blake 
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4 Select the manager, Edward Miller. The organization chart of the Allison Blake is displayed. 
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Figure 11-7 Organization chart of Allison Blake 


Edward Miller 
Director, Sales 


edward@xyz.com 


bLTt& 


a 
miit 
N 


Manager-Employee > 4 


ES | Filla Martel ar AllisonBlake ò 
ie Sales Intern Creative Assistant 


filla@xyz.com allison@xyz.com 


sa b TE E ao b TE 


@ 
Witt 


Send Email to Users from the Organization Chart 


Using ^a option, you can: 


+ Send an email to the selected user. 
+ Share the profile link of an entity over email. 


¢ (Optional, only applicable to the Manager-Employee relationship) Send an email to all team 
members under the selected user. 


For more information, click @ on the Dashboard. 


IMPORTANT: «Before sending an email from the organization chart view, you must ensure that a 
default email client is configured in your system. 


+ To ensure that the New Email and Email Team options work, configure the Email attribute as a 
primary or secondary attribute on the Settings page. For more information, see User Settings in 
the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications. 


View Detailed Information of a User 


1 Identify the user whose information you want to view. 


Suppose you are viewing the organization chart where Margo Mackenzie is in the role of 
Manager and you want to view additional details such as the roles and resources assigned to 
Kevin Chester. 


2 Go to Kevin Chester’s card and click icon. The profile page displays a detailed information 
including the roles and resources assigned to him. 
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If you cannot see icon on a user’s card, for example Jack Miller’s card, who is the President of 
XYZ organization, it indicates that you do not have appropriate permissions to the user catalog and 
therefore cannot view his profile. Contact your administrator if you require the necessary access to 


view a profile. 


For more information, click @ on the Dashboard. 
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2 Managing Your Password 


Identity Manager includes Self Service Password Reset (SSPR) to help you manage the process for 
changing passwords and resetting forgotten passwords. During password reset, SSPR uses a 
challenge-response authentication method to authenticate the you. 

+ “Using Self-Service Password Management in Identity Manager” on page 69 


+ “Using the Legacy Password Management” on page 71 


NOTE: This section describes the default features of the managing your password. You might 
encounter some differences because of your job role, your level of authority, and customizations 
made for your organization; consult your system administrator for details. 


Using Self-Service Password Management in Identity 
Manager 


SSPR automatically integrates with the single sign-on process for the identity applications and 
Identity Reporting. It is the default password management program for Identity Manager. When a 
user requests a password reset, SSPR requires the user to answer the challenge-response question. If 
the answers are correct, SSPR responds in one of the following ways: 


+ Allow users to create a new password 

+ Create a new password and send it to the user 

+ Create a new password, send it to the user, and mark the old password as expired. 
You configure this response in the SSPR Configuration Editor. After upgrading to a new version of 
Identity Manager, you can configure SSPR to use the NMAS method that Identity Manager 
traditionally used for password management. However, SSPR does not recognize your existing 
password policies for managing forgotten passwords. You also can configure SSPR to use its 


proprietary protocol instead of NMAS. If you make this change, you cannot return to using NMAS 
without resetting your password policies. 


You can use SSPR to do any of the functions listed in Table 12-2, “Password Management Functions,” 
on page 72: 


Managing Your Password 69 


Table 12-1 Password Management Functions 


This Password Management page Enables you to 


Password Challenge Response Set or change either of the following: 


+ Your valid responses to administrator-defined challenge 
questions 


+ User-defined challenge questions and responses 


Change Password Change (reset) your password, according to the rules established by 
your system administrator 


Password Policy Status Review your password policy requirements. 


Understanding Password Challenge Response 


Challenge questions are used to verify your identity during login when you have forgotten your 
password. If the system administrator has set up a password policy that enables this feature for you, 
you can use the Password Challenge Response page to: 


+ Specify responses that are valid for you when answering administrator-defined questions 


+ Specify your own questions and the valid responses for them (if your password policy enables 
this) 


During the login process, the login page automatically redirects you to the Challenge-Response page. 
You set up the responses for challenge questions on this page. For more information, see “If You 
Forget Your Password” on page 24. When you login again and try to reset the forgotten password, 
SSPR prompts the configured questions and asks you to specify the correct answer. When the 
answer matches with the response that you had saved earlier, SSPR allows you to reset the 
password. 


Changing Your Password 
You can change your password (providing that the system administrator has enabled you to do so). 


1 In the Dashboard, click Applications > Change My Password. 


2 Type your current password. The Change Password page displays. 


% Configuration Manager @ Configuration Editor = View Log 


Change Password 


+ Logout 


Current Password 


» Continue «Cancel 


3 Type your new password in the New Password text box. 
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4 Type your new password again in the Confirm Password text box. 
5 Click Change Password. 


If your new password violates any of the password rules defined in the password policy by your 
administrator, you will see an error message on the Change Password page. 


This page typically provides information about how to specify a password that meets the 
policy’s requirements as defined by your administrator. Review the password rules, and try 
again. 


6 Click Continue. The status of your request is displayed. On success, it takes you back to the OSP 
login page. 


Password Policy Status 


NOTE: This feature is only available for administrator users. 


You are assigned a password policy by your administrator. The policy determines the security 
measures associated with your password. You cannot check your password policy requirements 
unless the User Application administrator has provided you with rights to do so. The User Application 
administrator can check the status of password policy on the Identity Manager Home page. This link 
does not exist by default. You need to customize the Home page to include it. For customizing the 
default Identity Manager Home items, see Chapter 5, “Managing Applications,” on page 45. 


On the landing page, click Password Status and Policy link. The Password Policy Status and Policy page 
displays. To change your Identity Manager password, go to Identity Manager Home and select 
Change My Password. The Identity Manager Home link redirects you to the Change Password area of 
SSPR. 


Using the Legacy Password Management 


This section tells you how to use the Password Management pages on the Identity Self-Service tab of 
the Identity Manager User Application. Topics include: 

+ “Password Challenge Response” on page 72 

+ “Password Hint Change” on page 73 

+ “Change Password” on page 73 

+ “Password Policy Status” on page 74 


+ “Password Sync Status” on page 74 


NOTE: This section describes the default features of the Password Management pages. You might 
encounter some differences because of your job role, your level of authority, and customizations 
made for your organization; consult your system administrator for details. 


For more general information about accessing and working with the Identity Self-Service tab, see 
Chapter 10, “Managing Your Profile,” on page 59. 


You can use the Password Management pages to do any of the functions listed in Table 12-2, 
“Password Management Functions,” on page 72: 
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Table 12-2 Password Management Functions 


This Password Management page Enables you to 
Password Challenge Response Set or change either of the following: 


+ Your valid responses to administrator-defined challenge 
questions 


+ User-defined challenge questions and responses 


Password Hint Change Set or change your password hint 


Change Password Change (reset) your password, according to the rules established by 
your system administrator 


Password Policy Status Review your password policy requirements. 


Password Sync Status Display the status of synchronization of application passwords with 
the Identity Vault 


NOTE: Accessing applications prior to completion of 
synchronization causes application access issues. 


Password Challenge Response 


Challenge questions are used to verify your identity during login when you have forgotten your 
password. If the system administrator has set up a password policy that enables this feature for you, 
you can use the Password Challenge Response page to: 
+ Specify responses that are valid for you when answering administrator-defined questions 
+ Specify your own questions and the valid responses for them (if your password policy enables 
this) 
To use the Password Challenge Response page: 
1 On the Identity Self-Service tab, click Password Challenge Response in the menu (under Password 
Management). 
The Password Challenge Response page displays. 


2 Type an appropriate response in each Response text box (they are all required), or use your 
previously stored response. When Use Stored Response is selected, the challenge answers, 
including the labels, are not shown. In addition, user-defined challenge questions are disabled. 


Make sure you specify responses that you can remember later. 


3 Specify or change any user-defined questions that are required. You may not use the same 
question more than once. 


4 Click Submit. 


After you save the challenge responses, the User Application displays a message indicating that 
the challenge responses were saved successfully and displays the challenge response screen 
again with "Use Stored Response?" selected. 


72 Managing Your Password 


Password Hint Change 


A password hint is used during login to help you remember your password when you have forgotten 
it. Use the Password Hint Change page to set or change your password hint. 


1 On the Identity Self-Service tab, click Password Hint Change in the menu (under Password 
Management). 
The Password Hint Definition page displays. 
2 Type the new text for your hint. 
Your password cannot appear within the hint text. 
3 Click Submit. 
The status of your request displays. 


Change Password 


You can use this page whenever you need to change your password (providing that the system 
administrator has enabled you to do so). 


1 On the Identity Self-Service tab, click Change Password in the menu (under Password 
Management). 


The Change Password page displays. If the system administrator has set up a password policy for 
you, the Change Password page typically provides information about how to specify a password 
that meets the policy’s requirements. For example: 


If no password policy applies, you’ll see the basic Change Password page, which simply provides 
fields for changing your password. 


The User Application supports the following password syntax types: 
+ Microsoft complexity policy 
This password syntax type is used for backward compatibility with Active Directory 2003. 
+ Microsoft Server 2008 Password Policy 


This is a new password syntax type that has been added to eDirectory 8.8.7 to support 
Active Directory 2008. 


The following settings are supported with Microsoft Server 2008 Password Policy: 
+ Use Microsoft Server 2008 Password Policy 
+ Maximum number of complexity policy violations in password (0-5) 
+ Novell syntax 
The following new settings are supported with the Novell syntax: 
+ Minimum number of non-alphabetic characters (1-512) 
+ Maximum number of non-alphabetic characters (1-512) 
For all three types password syntax types, the User Application supports the following features: 
+ Number of characters different from current password and passwords from history (0-6) 
+ Number of passwords in history to be considered for character exclusion (0-10) 


If your administrator has enabled the Microsoft Server 2008 Policy syntax, fill the following 
fields in the Change Password page: 
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2 Type your current password in the Old password text box. 

3 Type your new password in the New password text box. 

4 Type your new password again in the Retype password text box. 
5 Click Submit. 


If your new password violates any of the password rules defined by your administrator, you will 
see an error message on the Change Password page. If you are using Microsoft Server 2008 
Policy, and your password is in violation, the user interface will show this message at the top of 
the page: 


Password AD2008 complexity policy violation. 


If your new password is in violation, review the password rules defined by your administrator, 
and try again. 


6 You might be prompted to supply a password hint, if your administrator configured your 
security policy to do so. If so, see “Password Hint Change” on page 73. 


7 The status of your request is displayed. 


Password Policy Status 


You are assigned a password policy by your administrator. The policy determines the security 
measures associated with your password. You can check your password policy requirements as 
follows: 


1 On the Identity Self-Service tab, click Password Policy Status in the menu (under Password 
Management). 


The Password Policy Status page displays. 


Items labeled invalid are items that you cannot change. 


Password Sync Status 


Use the Password Sync Status page to determine if your password has been synchronized across 
applications. Access another application only after your password has synchronized. Accessing 
applications prior to completion of synchronization causes application access issues. 


1 On the Identity Self-Service tab, click Password Sync Status in the menu (under Password 
Management). 


The Password Sync Status page displays. Full-color icons indicate applications for which the 
password is synchronized. Dimmed icons indicate applications that are not yet synchronized. 


NOTE: Only the administrator can see the Select User box. 
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V Managing Users, Groups, and Teams 


If you have the appropriate role in the identity applications, you can create and manage users, 
groups, and teams. You can create users and teams in dashboard and User Application. You create 
and manage groups in the User Application. 


System administrators can create users and groups. The system administrator can give others 
(typically, selected people in administration or management positions) access to this functionality. 


You might encounter some differences from functions documented in this section because of your 
job role, your level of authority, and customizations made for your organization. Consult your system 
administrator for details. 


To check which users or groups already exist, use the Directory Search page. See Appendix B, “Using 
the Directory Search in the User Application,” on page 95. 


A team represents a set of users, groups, or users and groups that can perform provisioning requests 
and approval tasks associated with the team. Although a team might match a group that exists in the 
user directory, teams are not the same thing as groups. That is, a group or a member of a group 
cannot perform team capabilities except when assigned to a team. See Chapter 14, “Managing 
Teams,” on page 81. 
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Managing Users 


This section tells you how to create users and groups in the Dashboard and User Application. Topics 
include: 


+ “Creating a User” on page 77 

+ “Editing User Information” on page 77 
+ “Listing Users” on page 78 

+ “Finding Users” on page 79 


+ “Sorting Users” on page 80 


Creating a User 


Create User page displays the user attributes that are enabled with Search and Read accesses, these 
access properties can be configured in Directory Abstraction Layer (DAL). For more information, see 
Attribute Properties in the NetIQ Identity Manager - Administrator’s Guide to Designing the Identity 
Applications. 


To create a user, in the Dashboard select: 
People > Users > + 


The identity administrator defines the values that you can specify for the user. Also, when creating a 
user, you can see the user Container but you cannot modify its value. This limitation ensures that all 
users are stored in the same container. 


For more information, click @ on the Dashboard. 


Editing User Information 


Select a user from a list view, click Y to modify the user information such as Title, Email, Telephone 
Number, Manager and more. The following is an example of editing a user information: 
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Figure 13-1 Editing User Information 


Aliyah Hall 


Title 
Login Disabled 


Marketing Director + 


Marketing Director 


Telephone Number Email 

552538 } aliyah@example.com 4 
552538 aliyah@example.com 

Direct Reports Manager 

Q ers by First Name,Last Na Q 

Save Cancel 


You are allowed to modify the user attributes that are set by your administrator. For more 
information about configuring user attributes, see Customizing the Views in Net/Q Identity Manager 
- Administrator’s Guide to the Identity Applications. 


You can delete users in the Manage Users view. 


Listing Users 


Following are the different ways to list users in identity applications: 


¢ List view: To view the users in the list format, click =. This displays the user information on the 
right hand side. To edit user information such as Telephone Number, Email, Manager, and more, 


click Y. If you want to see the organization chart of a particular user, click Su. 


+ Card view: To view the users in the card format, click ©. This displays the users basic 


information on the cards. Administrator can configure what information to display on the user's 
card. For more information, see Customizing the Views in Net/Q Identity Manager - 
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Administrator’s Guide to the Identity Applications. Click A to edit the user information such as 
Telephone Number, Email, Manager, and other attributes. If you want to see the organization 


chart of a particular user, click 53. 


+ Manage Users view: To view the users in the tabular format, click ‘2°. This displays the users in a 
tabular view. This view allows you to sort users according to the user attributes such as 
Telephone Number, Email, Department, and more. You can customize the columns to be shown 


in this view. For more information about customizing columns, click @ on the Dashboard. 
This view also allows you to delete users from the system. To delete users: 
1. Select a user that you want to delete. 


2. Click IT. 


Finding Users 


Following are the different ways to find users in identity applications: 


+ Quick Search: Specifies the user attribute and lists the users based on the selected filters. To 
modify the filter options: 


1. Click Y. 
2. Select the filter options to search users. 


Following is an example of the selected user attributes for a quick search: 


Y 


First Name 
Last Name 
Title 
Department 
Region 

Y Email 


Telephone Number 


3. Click Filter. 


For example, to search a user with name Smith where First Name and Last Name filters are 
selected. Quick search lists all the users who has Smith in their First Name and Last Name. 


+ Advanced Search: This option fetches the more refined list of users than quick search. You can 
search for a user with the defined user attributes. To use Advanced Search: 


1. Click ©. 
2. Specify the exact user information for each user attributes. 


Following is an example of the specified user attributes for an advanced search: 
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ADVANCED SEARCH X 


Search by 
First Name Y Emily X 
Last Name Y Cameron X 
Email Y emily.cameron@example.com > 
Telephone Numbe Y 5552368 X 


+ Add 


3. Click Filter. 


For example, if you want to search for a user having First Name as Aliyah, Last Name as Hall, and 
Title as Director. You can specify these attributes in the Advanced Search to find a user who has 
the exact set of attributes. 


You can also configure the search results on a page by setting the index at the bottom. Dashboard 
uses Virtual List View (VLV) control that runs at LDAP OID 2.16.840.1.113730.3.4. This works in 
combination with sort control. 


Identity Manager Dashboard displays two different counts while showing the results: 


¢ Total Count: This is the total count of users found in the system. 


+ Search Count: This is the count of users shown for the specific search. 


Sorting Users 


Manage Users view allows you to sort users according to their attributes. Administrator has to 
configure compound indexes for the user attributes to enable sorting. For more information about 
compound indexing, see Creating Compound Indexes in Net/Q Identity Manager Setup Guide for 
Windows. 


NOTE: If you are unable to sort users using any user attributes, contact your administrator to 
configure compound index for the required attribute to sort users. 
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Managing Teams 


A team consists two types of users such as: 


Requester 


Performs permission requests on behalf of other team members (the recipients). Depending on 
how the team is configured, a requester can act on an individual provisioning request, one or 
more categories of requests, or all requests. 


Also manages the proxy assignments for team members. 


Recipient 
Member of the team on whose behalf requesters can act. 
Team recipients can be users or groups within the directory. Alternatively, they can be derived 
through directory relationships. For example, the list of members could be derived by the 


manager-employee relationship within the organization. In this case, the team recipients would 
be all users that report to the team manager. 


NOTE: The Provisioning Administrator can configure the directory abstraction layer to support 
cascading relationships so that multiple levels within an organization can be included within a 
team. The number of levels to include is configurable by the administrator. 


To perform any of the following activities, go to People > Teams: 
+ “View Teams” on page 81 
+ “Create a Team” on page 82 


+ “Modify a Team” on page 82 


View Teams 


The Teams page lists all teams that you have permissions to view. You might be a member of all listed 
teams. However, you might also be an administrator with permissions to view, modify, or delete 
certain teams even though you are not a member. 


As a team member, you might be a requester, able to make requests on behalf of other team 
members. Also, others on the team might be able to perform those actions for you, the recipient. 


For more information, click @ on the Dashboard. 
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Create a Team 


As an administrator, you can create teams. A team represents a set of users, groups, or users and 
groups that can perform provisioning requests and approval tasks associated with the team. 


For each team, you specify the team members (Recipients) who receive the team’s permissions and 
those who can take action on recipients’ behalf (Requesters). After you create a team, you can 
specify the Permissions (resources and provisioning request definitions) that apply to team 
members. For example, you can add a laptop resource that team members might be required to 
have. 


For more information, click @ on the Dashboard. 


Modify a Team 


As an administrator, you can modify and delete teams. You can modify the following aspects of a 
team: 


+ Changing Name and Description of the team. 
+ Modify Requesters for the team. 
+ Add or remove team members. 


+ Add or remove permissions for a team manager. 


For more information, click @ on the Dashboard. 
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Managing Groups 


A group consists of users and other accounts that have a common characteristics. For example, the 
Finance group consisting of all employees in the Finance department. 


In the Dashboard, you can search groups based on its description. Administrators who have access to 
the Settings page can customize the attributes based on which a group entity can be searched. For 
more information, see Customizing the Views in the Net/Q Identity Manager - Administrator’s Guide 
to the Identity Applications. 


When you search for a specific group while assigning a role to a group, making a group as the owner 
of a resource, or while performing a simple search in the Groups page, the application will return the 
names of the group as a result that matches the searched attribute. 


Creating a Group 


If you have an administrative role in the identity applications, you can create a group. 


1 In the Identity Manager Dashboard, go to People > Groups. 
2 Click +. 


3 Specify values for the following required attributes: 


Attribute What to Specify 


Name The group name for this new group. 


IMPORTANT: Do not use the following special characters in the Name field: 
+ A \ W I 


Description A description of this new group. The description is used as a group search 
criteria in the Dashboard. 


Container An organizational unit in the identity vault under which you want the new 
group stored (such as an OU named groups). For example: 


ou=groups, ou=MyUnit, o=MyOrg 


To learn about using the buttons provided to specify a container, see 
“Creating a User” on page 77. 


NOTE: You won't be prompted for Container if the system administrator 
has established a default create container for this type of object. 


4 Click Create. 


When the group is created successfully, the Group Members panel is displayed that allows you 
to add the users to the newly created group. 


5 To add users to the group, click + icon that is beside the group members. 
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6 Select the required users in the modal window. 
7 Click Add. 
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Appendix 


The following appendix provide additional reference information and advanced topics for the 
Identity Manager User Application. 


+ Appendix A, “Using the Identity Manager Approvals App,” on page 87 
+ Appendix B, “Using the Directory Search in the User Application,” on page 95 
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Using the Identity Manager Approvals 
App 


In addition to the User Application user interface used by Identity Manager customers, you can now 
use a new iOS app that allows Identity Manager users to remotely approve or deny requests through 
the Roles Based Provisioning Module for Identity Manager. 


Once you install and configure the Approvals app, you can see the same approval tasks in the app 
that you would normally see in the User Application interface. All changes are synchronized between 
the Approvals app and the User Application. 


You can also work in offline mode when disconnected from the Identity Manager Roles Based 
Provisioning Module server, and the Approvals app will automatically synchronize any changes once 
connectivity is restored. 


This appendix provides information about installing and using the new Approvals app. For 
information about how Identity Manager administrators can configure their environment to allow 
users to use the app, see “Configuring the Identity Manager Approvals App” in the Net/Q Identity 
Manager - Administrator’s Guide to the Identity Applications. 


For more detailed information about the Approvals app, see the following sections: 


+ “Product Requirements” on page 87 

+ “Installing the Approvals App” on page 88 

+ “Configuring the Approvals App” on page 88 

+ “Overview of the Approvals App” on page 92 

+ “Changing the Approvals App Display Language” on page 94 


Product Requirements 


The Approvals app requires an Apple iPhone or iPad with Apple iOS 6 or iOS 7 installed or any device 
with Android 5.0 or later. 


NOTE: If your administrator has not enabled use of the Approvals app, you may not be able to 
configure the app after installation. For information on how administrators can configure the 
Identity Manager environment to enable use of the Approvals app, see “Configuring the Identity 
Manager Approvals App” in the Net/Q Identity Manager - Administrator’s Guide to the Identity 
Applications. 
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Installing the Approvals App 


You can install the NetIQ Identity Manager Approvals app from the Approvals app page on the Apple 
App Store onto your device. 


After you install the Approvals app, you must then configure the app to be able to connect with your 
Roles Based Provisioning Module server. 


NOTE: If your User Application password has expired, we recommend change your password before 
installing and configuring the Approvals app. If the password policy in your environment allows a 
limited number of grace logins when a password expires, the Approvals app may use all of those 
logins in an attempt to sync your Identity Manager tasks to your device. 


Configuring the Approvals App 


You can configure the NetIQ Identity Manager Approvals app in several ways, depending on the 
needs of your environment and the way in which your administrator has configured Identity 
Manager: 


+ Make a request in the User Application interface for access to the Approvals app, and then 
launch the app on your device from the email link provided by your Identity Manager 
administrator. The link includes all the required configuration information. 


¢ Click a configuration link or scan a configuration QR code using your device, where link or QR 
code provides either all required configuration information or generalized configuration 
information for your company. 


+ Manually enter the configuration information for your environment in the app itself. 


IMPORTANT: In order for users to be able to automatically configure the Approvals app using either 
a link or QR code, the administrator for the Identity Manager environment must first enable the link 
or QR code. 


Requesting Mobile Access Through the User Application 


If configured by your administrator, you can request access to the Approvals app using the User 
Application. Identity Manager then sends an email that contains a customized link you can open on 
your device to automatically configure the app with your information. 


To request mobile access through the User Application: 


1 Ina Web browser, log in to the Identity Manager User Application using the HTTPS (https: //) 
protocol. 


NOTE: To request access to the Approvals app, you must log in to the User Application using the 
HTTPS protocol. 


2 Click Make a Process Request. 
3 Click the Process Request Category drop-down menu and select Accounts. 


4 Click Continue. 
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5 Click Request Mobile Approval App. 


NOTE: The process request category and name may vary, depending on how your administrator 
has configured the Approvals app request process. 


6 Provide the required information in process request form and click Submit. 


7 When you receive an email from your Identity Manager administrator, open the email on your 
device and click the link provided to connect your device to the Roles Based Provisioning 
Module server. 


NOTE: If you have previously installed the app, the app may display a warning message that 
existing settings will be overwritten. Ensure that the host name displayed in the warning 
message is the same host you accessed when you requested access to the app. If in doubt, do 
not click the link and contact your administrator. 


If the host name is correct, click Accept to overwrite your existing settings. 


8 When the app starts up, enter your password and click the Test Connection icon to verify 
your settings. 


Using a Configuration Link or QR Code 


Your Identity Manager administrator may provide a configuration link to configure your Approvals 
app. Open the link in a browser on your device to automatically configure the app. 


However, this link can only provide some of the required settings. Typically, a link or code can only 
provide the Roles Based Provisioning Module server details necessary for the Approvals app to 
function. After you click the link, you must manually configure your Username and Password 
settings, as well as any other settings not automatically configured. 


In some environments, you may not be able to access your email from your device. If you cannot 
receive email on your device, you can instead use your device to scan a personalized QR code 
provided by the Identity Manager administrator. 


Display the provided QR code on your computer or ona printed page, if necessary, and scan the code 
using a QR code reader on your device. After the QR code automatically configures the Approvals 
app for your environment, manually configure your Username and Password settings. 


Manually Configuring the Approvals App 


If the administrator of your Identity Manager environment does not provide a link or QR code to use 
when configuring the Approvals app, you can also configure the required configuration settings 
manually. 


WARNING: Because manually configuring the app on your device requires in-depth knowledge of 
Identity Manager components, we recommend only advanced users knowledgeable about the Roles 
Based Provisioning Module and User Application environment in your enterprise manually configure 
app settings. Other users should contact their Identity Manager administrator for information about 
configuring the app. 
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In the app, click the Settings icon a specify the required settings, and then click the Test 


Connection icon to verify your settings. 


The Approvals app requires the following settings: 


Login Setting Name 


Username 


Password 


Data Sync 


Advanced > Server Details > Server 


Advanced > Server Details > Secure Port 


Advanced > Server Details > Context 


Advanced > Server Details > User Container 


Advanced > Server Details > Timeout 


Advanced > Data Definition Settings > User Entity 


Advanced > Data Definition Settings > Name Format 


Advanced > Data Definition Settings > First Name Attr 


Advanced > Data Definition Settings > Last Name Attr 


Advanced > Data Definition Settings > User Photo Attr 
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Login Setting Description 


Specifies the user name you use to access the Roles 
Based Provisioning Module server. 


Specifies the password you use to access the Roles 
Based Provisioning Module server. 


Specifies if you want the app to actively sync data to 
the Roles Based Provisioning Module server. 


Specifies the fully qualified domain name or IP 
address of the Roles Based Provisioning Module 
server. 


Specifies the HTTPS port the app uses to connect to 
the server. 


Specifies the context used when installing the User 
Application WAR file. The default value is IDMProv. 


Specifies the full DN of the Identity Vault container 
that stores user information. 


Specifies the number of seconds the app waits when 
attempting to connect to the server before cancelling 
the connection. The default value is 5 seconds. 


Specifies the LDAP entity that represents a user in the 
Identity Vault. The default value is user. 


Specifies the DAL attribute representation the app 
uses to format a user’s full name. The default value is 
FirstName LastName. 


Specifies the name of the DAL attribute that 
represents a user’s first name. The default value is 
FirstName. 


Specifies the name of the DAL attribute that 
represents a user’s last name. The default value is 
LastName. 


Specifies the name of the DAL attribute that contains 
a user’s photo. The default value is UserPhoto. 


NOTE: If you do not have a picture configured in the 
Identity Manager or have configured your Identity 
Manager settings to not display a picture, the app 
displays a generic image instead. 


Login Setting Name 
Advanced > Data Definition Settings > Work Phone 
Attr 


Advanced > Data Definition Settings > Mobile Phone 
Attr 


Advanced > Data Definition Settings > Email Attr 


Advanced > Data Definition Settings > Photo LDAP 
Attr 


Advanced > Data Definition Settings > Naming 
Attribute 


Advanced > Data Definition Settings > Provisioning 
Admin 


Advanced > Accepted Certificates 


Advanced > Rejected Certificates 


Login Setting Description 


Specifies the name of the DAL attribute that 
represents a user’s work phone number. The default 
value is TelephoneNumber. 


Specifies the name of the DAL attribute that 
represents a user's mobile phone number. The 
default value is mobile. 


Specifies the name of the DAL attribute that 
represents a user’s email address. The default value is 
Email. 


Specifies the name of the LDAP attribute that 
contains the photo of the user. The default value is 
photo. 


Specifies the naming DAL attribute used in the 
Identity Vault to describe a name. The default value is 
cn. 


Specifies whether you are a Provisioning 
Administrator on the Roles Based Provisioning 
Module server. 


Specifies any invalid or self-signed certificates from 
the Roles Based Provisioning Module server that you 
allow the Approvals app to accept. 


When the Approvals app detects a self-signed or 
invalid certificate, the app asks you to accept or reject 
the certificate. If you accept the certificate, the app 
adds a certificate to the Accepted Certificates list. You 
can remove a certificate from the Accepted 
Certificates list by clicking the name of the certificate 
and restarting the app. 


NOTE: If the Roles Based Provisioning Module server 
certificate is valid, the app does not add the 
certificate to the Accepted Certificates list. The app 
accepts valid certificates by default. 


Specifies any invalid or self-signed certificates from 
the Roles Based Provisioning Module server that you 
do not want the Approvals app to accept. 


When the Approvals app detects a self-signed or 
invalid certificate, the app asks you to accept or reject 
the certificate. If you reject the certificate, the app 
adds a certificate to the Rejected Certificates list. If 
the server then presents a rejected certificate, the 
app cannot create a connection to the server. 


You can remove a certificate from the Rejected 
Certificates list by clicking the name of the certificate. 
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Overview of the Approvals App 


This section provides an overview of the NetIQ Identity Manager Approvals app user interface. 
Topics include: 

+ “Tasks View” on page 92 

+ “Details View” on page 92 

+ “Bulk Mode” on page 92 

+ “Completed Tasks View” on page 93 

+ “Login Settings View” on page 93 

+ “Advanced Settings View” on page 93 


Tasks View 


The default view of the Approvals app is the Tasks view. This view displays all of the tasks currently 
assigned to or claimed by you, with the title of the task and the name and picture of the task 
recipient. The view lists tasks by expiration date, displaying the tasks due soonest at the top and 
tasks with no expiration date below. 


NOTE: +If a user does not have a picture configured in the Identity Manager or has configured their 
Identity Manager settings to not display a picture, the app displays a generic image instead. 


+ Using Approval App you cannot approve or deny tasks that are using complex forms. 


+ At present, the Approvals App does not support new JSON forms on both iOS and Android 
platform. As a result, you may encounter an error message or not be able to view the task 
details. 


If you want to approve or deny a request, or if you want to view the details of a particular task, click 
the task or task recipient name. If you want to contact a task recipient, click the recipient’s picture. 


Details View 


The Details view displays details for a particular task assigned to you. The fields displayed vary 
depending upon the request. 


To approve or deny a task, provide any necessary information, and click either Approve or Deny. 


Bulk Mode 


If you need to approve or deny a large number of similar tasks, you can switch from the default 
single-task mode to bulk mode in the Tasks view. 


NOTE: You cannot approve all tasks in bulk mode. For more complex tasks, like attestation tasks, you 
must approve each attestation task separately in single-task mode. When you click the Bulk Mode 
icon, the app displays only the tasks in your list that can be approved in bulk mode. 
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To approve or deny multiple tasks: 


1 Inthe Tasks view, click the Bulk Mode icon Ej 


2 Select the tasks you want to approve or deny. You cannot approve some tasks and deny other 
tasks at the same time. 


3 (Optional) If you want to approve or deny all tasks, click All. 


4 (Optional) If you change your mind and do not want to approve or deny any tasks, click the 


single-task mode icon Sg 
5 Click Approve or Deny. 
6 (Optional) Provide a comment regarding the bulk operation. 


7 Click Confirm. 
Completed Tasks View 


To view your completed tasks, click the Completed Tasks icon Eo] The view displays the completed 
task, as well as the time the task was approved or denied. You can click a completed task to view the 
details of that particular task. For more complex requests, you can click Form Values to view specific 
information for the request. 


If necessary, you can delete one or more of your completed tasks from the Completed Tasks view. To 


delete tasks, click the Bulk Mode icon El select the tasks you want to delete, and click Delete. 


NOTE: The Completed Tasks view only displays tasks completed on your device. You cannot view 
tasks completed in the User Application or on another device with the Approvals app installed. 


Login Settings View 


The Login Settings view allows you to view or modify your login settings. 


WARNING: If your Identity Manager administrator provided a link or QR code to automatically 
configure your app settings, we recommend you do not modify those default settings unless your 
administrator instructs you to do so. 


Advanced Settings View 


The Advanced Settings view allows you to view or modify advanced settings that determine how you 
receive data from the Roles Based Provisioning Module server. 


WARNING: If your Identity Manager administrator provided a link or QR code to automatically 
configure your app settings, we recommend you do not modify those default settings unless your 
administrator instructs you to do so. 
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If you accidentally change the Data Definition Settings in the Advanced Settings view, click Restore 
Defaults to restore the default settings provided by Identity Manager. Restore Defaults does not 
change your user name, password, or any of the Server Details settings. 


Changing the Approvals App Display Language 


The Approvals app includes localized text strings in multiple languages. To change the language the 
Approvals app uses, change the Language and Region Format settings on your iOS device. The 
Region Format settings configure how dates, times, and phone numbers are displayed on the device. 


To modify language and region settings: 


1 
2 
3 
4 


On your iOS device, click Settings. 
Click General. 
Click International. 


(Optional) If you want to change the language your device uses, click Language, select the 
language you want to use, and then click Done. 


(Optional) If you want to change the region format your device uses for dates and times, click 
Region Format, select the format you want to use and click International. 


Go back to your device’s home screen. 
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Using the Directory Search in the User 
Application 


This section tells you how to use the Directory Search page on the Identity Self-Service tab of the 
User Application. Topics include: 

+ “Understanding Directory Search” on page 95 

+ “Performing Basic Searches” on page 96 

+ “Performing Advanced Searches” on page 97 

+ “Working with Search Results” on page 103 


+ “Using Saved Searches” on page 107 


NOTE: This section describes the default features of the Directory Search page. You might encounter 
some differences because of your job role, your level of authority, and customizations made for your 
organization; consult your system administrator for details. 


Understanding Directory Search 


You can use the Directory Search page to search for users, groups, or teams by entering search 
criteria or by using previously saved search criteria. 


For example, suppose Timothy Swan (Marketing Director) needs to search for information about 
someone in his organization. He goes to the Directory Search page and sees this by default: 


Figure B-1 Directory Search Page 


NetIQ Identity Manager A 


Identity Self-Service Work Dashboard Logout Help 


au wen 


i Search List 
Organization Chart 
My Profile My Saved Searches. Click on a search to run it. 
Directory Search Modify Remove Search Name 
w New Search 


He doesn’t yet have any saved searches to select from, so he selects New Search. 


There’s a user he wants to contact whose first name begins with the letter C, but he can’t remember 
the full name. He just needs to specify a basic search with this criterion. 


The search results display, enabling Timothy to examine and work with his requested information. By 
default, Identity tab information is displayed. 
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Timothy clicks the Organization tab in the search results to get another view of the information. He 
recalls that the person he seeks works for Kip Keller, so that narrows it down to Cal Central. 


In addition to the tabs for different views, the search results page provides links and buttons for 
performing actions on its information. You can: 


+ 


+ 


+ 


+ 


+ 


+ 


Sort the rows of information by clicking the column headings 

Display details (Profile page) for a user or group by clicking its row 
Send new e-mail to a user by clicking the e-mail icon in that user’s row 
Save the search for future reuse 

Export the results to a text file 


Revise the search by changing its criteria 


When generating search results, you might sometimes need more than a basic search to describe 
the information you want. You can use an advanced search to specify complex criteria. 


If there’s an advanced search that you might need to perform again, you can retain it as a saved 
search. Saved searches are even handy for basic searches that you run frequently. For instance, 
Timothy Swan has added a couple of saved searches that he often uses. 


Performing Basic Searches 


Go to the Directory Search page and click New Search. The Basic Search page displays by default: 


In the Search for drop-down list, specify the type of information to find by selecting Group or 
User. 


In the Item Category drop-down list, select an attribute to search on. For example: 
Last Name 


The list of available attributes is determined by what you’re searching for (users or groups). 
In the Expression drop-down list, select a comparison operation to perform against your chosen 
attribute. For example: 


equals 


For more information, see “Selecting an Expression” on page 99. 
In the Search Term entry box, specify a value to compare against your chosen attribute. For 
example: 


Smith 


For more information, see “Specifying a Value for Your Comparison” on page 100. 
Click Search. 
Your search results display. 


To learn about what to do next, see “Working with Search Results” on page 103. 
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Performing Advanced Searches 


If you need to specify multiple criteria when searching for users or groups, you can use an advanced 
search. For example: 


Last Name equals Smith AND Title contains Rep 


If you specify multiple criteria groupings (to control the order in which criteria are evaluated), you'll 
use the same logical operations to connect them. For example, to perform an advanced search with 
the following criteria (two criteria groupings connected by an or): 


(Last Name equals Smith AND Title contains Rep) OR (First Name starts with 
k AND Department equals Sales) 


specify the following shown in Figure B-2 on page 97: 


Figure B-2 Specifying an Advanced Search on the Search List Page 
Search List A | 
Advanced Search, Specify one or more criteria for your search. 


Search for: | User vw | 


With this criteria: 


Operator Item Category Expression _ Search Term Add/Remove Criteria 
| Last Name Y || equals v | ¡Smith [+] x] 
land | | Title v| | contains w | Rep [+] x] 
remove Criteria Grouping 
or v| 


With this critena: 


Operator Item Category Expression Search Term Add/Remove Criteria 
First Name Y | | starts with v| |k FR 
| and ¥ Department v | equals w | Sales [+] x] 


remove Criteria Grouping 


Pad Criteria Grouping 
lew My Saved Searches ES Basic Search 


The result of this search is shown in Figure B-3 on page 98. 
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Figure B-3 Result of Advanced Search 


Search List 


~” 
b 
l 

a 


Search Results. Use the tabs below for different views of your result set, 


User: (Last Name equals Smith and Title contains Rep) -or- (First Name starts with k and Department equals Sales) 
Sorted by: Department 
Total Matches: 5 


Identity Location | Organization | 


First Name Last Name Title Department Manager Email 

Jane Smith HR, Representative hr Renee Resource S 

Kate Smith Sales Representative sales Sally South 4 

Ken Carson Account Executive sales Ned North S 

Kevin Chang Account Executive sales Ned North 4 

Kip Keller VP, North American Sales sales Kelly Kilpatrick S 
1-5of5 


N My Saved Searches Save Search 5 Export Results FF Revise Search Q) New Search 


To perform an advanced search: 


1 Goto the Directory Search page and click New Search. The Basic Search page displays by default. 
2 Click Advanced Search. The Advanced Search page displays. 


3 In the Search for drop-down list, specify the type of information to find by selecting one of the 
following: 


+ Group 
+ User 
You can now fill in the With this criteria section. 
4 Specify a criterion of a criteria grouping: 
4a Use the Item Category drop-down list to select an attribute to search on. For example: 


Last Name 


The list of available attributes is determined by what you’re searching for (users or groups). 


4b Use the Expression drop-down list to select a comparison operation to perform against 
your chosen attribute. For example: 


equals 


For more information, see “Selecting an Expression” on page 99. 


4c Use the Search Term entry to specify a value to compare against your chosen attribute. For 
example: 


Smith 


For more information, see “Specifying a Value for Your Comparison” on page 100. 
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5 If you want to specify another criterion of a criteria grouping: 


5a Click Add Criteria on the right side of the criteria grouping: 
[+] 


5b On the left side of the new criterion, use the Criteria Logical Operator drop-down list to 
connect this criterion with the preceding one; select either and or or. You can use only one 
of the two types of logical operator within any one criteria grouping. 


5c Repeat this procedure, starting with Step 4. 


To delete a criterion, click Remove Criteria to its right: [x] 
6 If you want to specify another criteria grouping: 
6a Click Add Criteria Grouping. 


6b Above the new criteria grouping, use the Criteria Grouping Logical Operator drop-down list 
to connect this grouping with the preceding one; select either and or or. 


6c Repeat this procedure, starting with Step 4. 
To delete a criteria grouping, click Remove Criteria Grouping directly above 
it. 
7 Click Search. 
Your search results display. 


To learn about what to do next, see “Working with Search Results” on page 103. 


Selecting an Expression 


Click Expression to select a comparison criterion for your search. The list of comparison (relational) 
operations available to you in a criterion is determined by the type of attribute specified in that 
criterion: 


Table B-1 Comparison Operations for Searching 


If the attribute is a You can select one of these comparison operations 


String (text) + starts with 
+ contains 
+ equals 
+ ends with 
+ is present 
+ does not start with 
+ does not contain 
+ does not equal 
+ does not end with 


+ is not present 
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If the attribute is a 
String (text) with a predetermined list of choices 
User or group (or other object identified by DN) 


Boolean (true or false) 


You can select one of these comparison operations 


equals 
is present 
does not equal 


is not present 


User (item category: Manager, Group, or Direct 
Reports) 


equals 
is present 
does not equal 


is not present 


Group (item category: Members) 


equals 
is present 
does not equal 


is not present 


Time (in date-time or date-only format) 


Number (integer) 


equals 

greater than 

greater than or equal to 
less than 

less than or equal to 

is present 

does not equal 

not greater than 

not greater than or equal to 
not less than 

not less than or equal to 


is not present 


Specifying a Value for Your Comparison 


The type of attribute specified in a criterion also determines how you specify the value for a 


comparison in that criterion: 
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Table B-2 Method of Entering Comparison Value 


If the attribute is a You do this to specify the value 

String (text) Type your text in the text box that displays on the 
right. 

String (text) with a predetermined list of choices Select a choice from the drop-down list that displays 
on the right. 

User or group (or other object identified by DN) Use the Lookup, History, and Reset buttons that 
display on the right. 

Time (in date-time or date-only format) Use the Calendar and Reset buttons that display on 
the right. 

Number (integer) Type your number in the text box that displays on the 
right. 

Boolean (true or false) Type true or false in the text box that displays on 
the right. 


Don’t specify a value when the comparison operation is one of the following: 


+ is present 


+ is not present 


Case in Text 


Text searches are not case sensitive. You’ll get the same results no matter which case you use in your 
value. For example, these are all equivalent: 


McDonald 
mcdonald 


MCDONALD 


Wildcards in Text 


You can optionally use the asterisk (*) as a wildcard in your text to represent zero or more of any 
character. For example: 


Mc* 
*Donald 
*Don* 


McD*d 


Using the Lookup, History, and Reset Buttons 


Some search criteria display Lookup, History, and Reset buttons. This section describes how to use 
these buttons: 
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Table B-3 Lookup, History, and Reset Buttons in Search Criteria 


Button 


Al 
[4 


What It Does 


Looks up a value to use for a comparison 
Displays a History list of values used for a comparison 


Resets the value for a comparison 


To look up a user: 


1 Click Lookup to the right of an entry (for which you want to look up the user): 


Al 


The Lookup page displays. 


2 Specify search criteria for the user you want: 


2a Use the drop-down list to select a search by First Name or Last Name. 


2b In the text box next to the drop-down list, type all or part of the name to search for. 


The search finds every name that begins with the text you type. It is not case sensitive. You 
can optionally use the asterisk (*) as a wildcard in your text to represent zero or more of 
any character. 


For instance, all of the following examples finds the first name Chip: 


Chip 
chip 
c 

c* 
*p 
*h* 


3 Click Search. 


The Lookup page displays your search results. 


If you see a list of users that includes the one you want, go to Step 4. Otherwise, go back to 
Step 2. 


You can sort the search results in ascending or descending order by clicking the column 
headings. 


4 Select the user you want from the list. 


The Lookup page closes and inserts the name of that user into the appropriate entry as the 
value to use for your comparison. 


To look up a group as a search criterion for a user: 


1 Add Group as a search criterion, then click Lookup Alto the right of the Search Term field. 


The Lookup page displays search results. 
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2 Specify search criteria for the group you want: 
2a In the drop-down list, your only choice is to search by Description. 
2b In the text box next to the drop-down list, type all or part of the description to search for. 


The search finds every description that begins with the text you type. It is not case 
sensitive. You can optionally use the asterisk (*) as a wildcard in your text to represent zero 
or more of any character. 


For instance, all of the following examples find the description Marketing: 


Marketing 
marketing 
m 
m* 
*g 
*k* 

3 Click Search. 

The Lookup page displays your search results. 


If you see a list of groups that includes the one you want, go to Step 4. Otherwise, go back to 
Step 2. 


You can sort the search results in ascending or descending order by clicking the column heading. 
4 Select the group you want from the list. 


The Lookup page closes and inserts the description of that group into the appropriate entry as 
the value to use for your comparison. 


To use the History list: 
1 Click History [E] to the right of an entry (whose previous values you want to see): 


The History list displays previous values for this criterion in alphabetical order. 


2 Do one of the following: 


If you want to Do this 


Pick from the History list Select a value that you want from the list. 


The History list closes and inserts that value into the appropriate entry 
as the value to use for your comparison. 


Clear the History list Click Clear History. 


The History list closes and deletes its values for this entry. Clearing the 
History list does not change the current value of the entry in your 
comparison. 


Working with Search Results 


This section tells you how to work with the results that display after a successful search: 


+ “About Search Results” on page 104 
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+ “Using the Search List” on page 104 


+ “Other Actions You Can Perform” on page 105 


About Search Results 


The content of your search results depends on the type of search you perform: 


+ “For a User Search” on page 104 


+ “For a Group Search” on page 104 
On any search results page, you can select 


+ View My Saved Searches 
+ Save Search 

+ Revise Search 

+ Export Results 


+ Start a New Search 


For a User Search 


In the results of a user search, the list of users provides tabs for three views of the information: 
+ Identity (contact information) 
+ Location (geographical information) 
+ Organization (organizational information) 

For a Group Search 


The results of a group search provide only the Organization view of the information. 


Using the Search List 


You can do the following with the list of rows that displays to represent your results: 


+ “To Switch to a Another View” on page 104 

+ “To Sort the Rows of Information” on page 104 

+ “To Display Details for a User or Group” on page 105 

+ “To Send E-Mail to a User in the Search List” on page 105 


To Switch to a Another View 


1 Click the tab for the view you want to display. 


To Sort the Rows of Information 


1 Click the heading of the column that you want to sort. 
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The initial sort is in ascending order. 


2 You can toggle between ascending and descending order by clicking the column heading again 
(as often as you like). 


To Display Details for a User or Group 
1 Click the row for the user or group whose details you want to see (but don’t click directly on an 
e-mail icon unless you want to send a message instead). 
The Profile page displays, showing detailed information about your chosen user or group. 


This page is just like the My Profile page on the Identity Self-Service tab. The only difference is 
that, when you are viewing details about another user or group (instead of yourself), you might 
not be authorized to see some of the data or perform some of the actions on the page. Consult 
your system administrator for assistance. 


2 When you’re done with the Profile page, you can close its window. 


To Send E-Mail to a User in the Search List 


1 Find the row of a user to whom you want to send e-mail. 


2 Click Send E-Mail & in that user's row: 


A new message is created in your default e-mail client. The message is blank except for the To 
list, which specifies your chosen user as a recipient. 


3 Fill in the message contents. 


4 Send the message. 


Other Actions You Can Perform 


While displaying search results, you can also: 


+ “Save a Search” on page 105 
+ “Export Search Results” on page 106 


+ “Revise Search Criteria” on page 106 


Save a Search 


To save the current set of search criteria for future reuse: 


1 Click Save Search (at the bottom of the page). 
2 When prompted, specify a name for this search. 


If you're viewing the results of an existing saved search, that search name displays as the 
default. This enables you to update a saved search with any criteria changes you've made. 


Otherwise, if you type a search name that conflicts with the name of an existing saved search, a 
version number is automatically added to the end of the name when your new search is saved. 


3 Click OK to save the search. 
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The Search List page displays a list of My Saved Searches. 


To learn more about working with saved searches, see “Using Saved Searches” on page 107. 


Export Search Results 


To export search results to a text file: 


1 Click Export Results (at the bottom of the page). 
The Export page displays. 


By default, View on screen is selected, and CSV is chosen in the format drop-down list. 
Consequently, the Export page shows your current search results in CSV (Comma Separated 
Value) format. 


2 If you want to see what those search results look like in Tab Delimited format instead, select Tab 
Delimited in the drop-down list, then click Continue. 


3 When you're ready to export your current search results to a text file, select Export to disk. 
The Export page displays. 


4 Use the Format drop-down list to select an export format for the search results. 


Export Format Default Name of Generated File 
CSV SearchListResult.date.time.csv 
For example: 


SearchListResult.27-Sep-05.11.21.47.csv 
Tab Delimited SearchListResult.date.time.txt 

For example: 

SearchListResult.27-Sep-05.11.20.51.txt 
XML (available if you are exporting SearchListResult.date.time.xml 
to disk) 


For example: 


SearchListResult.27-Sep-05.11.22.51.xml 


5 Click Export. 
6 When prompted, specify where to save the file of exported search results. 


7 When you're finished exporting, click Close Window. 


Revise Search Criteria 


1 Click Revise Search (at the bottom of the page). 
This returns you to your previous search page to edit your search criteria. 
2 Make your revisions to the search criteria according to the instructions in these sections: 
+ “Performing Basic Searches” on page 96 


+ “Performing Advanced Searches” on page 97 
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Using Saved Searches 


When you go to Directory Search, the My Saved Searches page displays by default. This section 
describes what you can do with saved searches: 


To List Saved Searches 


1 Click the My Saved Searches button at the bottom of a Directory Search page. The My Saved 
Searches page displays. 


To Run a Saved Search 


1 In the My Saved Searches list, find a saved search that you want to perform. 
2 Click the name of the saved search (or click the beginning of that row). 
Your search results display. 


To learn about what to do next, see “Working with Search Results” on page 103. 


To Edit a Saved Search 


1 In the My Saved Searches list, find a saved search that you want to revise. 
2 Click Edit in the row for that saved search. 
This takes you to the search page to edit the search criteria. 
3 Make your revisions to the search criteria according to the instructions in these sections: 
+ “Performing Basic Searches” on page 96 
+ “Performing Advanced Searches” on page 97 


4 To save your changes to the search, see “Working with Search Results” on page 103. 


To Delete a Saved Search 


1 In the My Saved Searches list, find a saved search that you want to delete. 
2 Click Delete in the row for that saved search. 


3 When prompted, click OK to confirm the deletion. 
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